Formbook campaign with what looks like a few changes. Recently the criminals distributing this malware have been using .exe files inside various forms of an archive, including .iso, .ace, .rar. , zip.

Frequently they use various Microsoft Office Equation Editor exploits to contact a remote site & download the payload. Very occasionally I have seen Macros used.

Today, they are still using CVE-2017-11882  Equation Editor Exploit in malformed RTF word docs to deliver the malware. But the method has slightly changed with a massive 2mb word doc that when opened only displays a couple of words and a small empty box. 


Capabilities – Formbook

FormBook is a data stealer, but not a full-fledged banker (banking malware). It does not currently have any extensions or plug-ins. Its capabilities include: 

  • Key logging
  • Clipboard monitoring
  • Grabbing HTTP/HTTPS/SPDY/HTTP2 forms and network requests 
  • Grabbing passwords from browsers and email clients 
  • Screenshots 

FormBook can receive the following remote commands from the CnC server 

  • Update bot on host system
  • Download and execute file
  • Remove bot from host system
  • Launch a command via ShellExecute
  • Clear browser cookies
  • Reboot system
  • Shutdown system
  • Collect passwords and create a screenshot
  • Download and unpack ZIP archive

Behavior of this Campaign

It has various behaviors like, persistence, Process Injection, Packer, Function Hooks, Startup, Beaconing. If you see JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse  .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.

1.) Formbook was detected
2.) Loads dropped or rewritten executable
3.) Stealing of credential data
4.) Changes the autorun value in the registry
5.) Actions looks like stealing of personal data
6.) Application was dropped or rewritten from another process
7.) Connects to CnC server
8.) Equation Editor starts application (CVE-2017-11882)
9.) Executable content was dropped or overwritten
10.) Starts application with an unusual extension
11.) Application launched itself
12.) Reads the machine GUID from the registry

FIG: Infection Process

Indicators of Compromise

Main object- "Payment.doc"
Dropped executable file
sha256 C:\Users\admin\AppData\Local\Temp\A.R
Hash 7ee6e33e212e08a910b92140ec61a4a746f9ca37d9aaa66f54f485c5cd52653c
sha256 C:\Users\admin\AppData\Local\Temp\sqlite3.dll Hash 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Related Read

Targetted Malware Campaigns to Steal Cookies and Passwords – FormBook

Hackers Distributing Variety of New Exploits and Malware via Microsoft Office Document Exploit Kit


Please enter your comment!
Please enter your name here