FORMBOOK Malware Delivered via Weaponized RTF Word Docs – Using CVE-2017-11882

Formbook campaign with what looks like a few changes. Recently the criminals distributing this malware have been using .exe files inside various forms of an archive, including .iso, .ace, .rar. , zip.

Frequently they use various Microsoft Office Equation Editor exploits to contact a remote site & download the payload. Very occasionally I have seen Macros used.

Today, they are still using CVE-2017-11882  Equation Editor Exploit in malformed RTF word docs to deliver the malware. But the method has slightly changed with a massive 2mb word doc that when opened only displays a couple of words and a small empty box. 

Capabilities – Formbook

FormBook is a data stealer, but not a full-fledged banker (banking malware). It does not currently have any extensions or plug-ins. Its capabilities include: 

• Key logging
• Clipboard monitoring
• Grabbing HTTP/HTTPS/SPDY/HTTP2 forms and network requests
• Grabbing passwords from browsers and email clients
• Screenshots

FormBook can receive the following remote commands from the CnC server 

• Update bot on host system
• Download and execute file
• Remove bot from host system
• Launch a command via ShellExecute
• Clear browser cookies
• Reboot system
• Shutdown system
• Collect passwords and create a screenshot
• Download and unpack ZIP archive

Behavior of this Campaign

It has various behaviors like, persistence, Process Injection, Packer, Function Hooks, Startup, Beaconing. If you see JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse  .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.

1.) Formbook was detected
2.) Loads dropped or rewritten executable
3.) Stealing of credential data
4.) Changes the autorun value in the registry
5.) Actions looks like stealing of personal data
6.) Application was dropped or rewritten from another process
7.) Connects to CnC server
8.) Equation Editor starts application (CVE-2017-11882)
9.) Executable content was dropped or overwritten
10.) Starts application with an unusual extension
11.) Application launched itself
12.) Reads the machine GUID from the registry

Indicators of Compromise

Main object- "Payment.doc"
     0d62d21657b4b9457ea2a8fe53eba2e443eeda014f012dd555971d0128f48c73    
     7b19505810e5f4091492718313fa0a434338601f    
     dd6ce4eba8b91a31ac0f2ef7ad5d0c1b   

 
 Dropped executable file
     sha256  C:\Users\admin\AppData\Local\Temp\A.R   
      Hash    7ee6e33e212e08a910b92140ec61a4a746f9ca37d9aaa66f54f485c5cd52653c   
     sha256  C:\Users\admin\AppData\Local\Temp\sqlite3.dll            Hash    16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660   

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Related Read

Targetted Malware Campaigns to Steal Cookies and Passwords – FormBook

Hackers Distributing Variety of New Exploits and Malware via Microsoft Office Document Exploit Kit