A sophisticated phishing campaign has been uncovered by Fortinet’s FortiGuard Labs, targeting Windows users with malicious Word documents designed to steal sensitive data.
Disguised as legitimate sales orders, these emails trick recipients into opening attachments that exploit a known vulnerability, CVE-2017-11882, in Microsoft Equation Editor 3.0.
This remote code execution flaw allows attackers to execute harmful code on the victim’s system, ultimately deploying a new variant of the FormBook information-stealing malware.
.png
)
FormBook is notorious for harvesting credentials, keystrokes, screenshots, and clipboard data, posing a severe threat to personal and organizational security.
Technical Breakdown of the Attack Chain and FormBook Deployment
The attack begins with a phishing email flagged by FortiMail as containing a virus, yet crafted to appear urgent and legitimate, prompting users to open the attached Word document, often named something innocuous like “order0087.docx.”
Saved in OOXML format, the document embeds an obfuscated RTF file, “Algeria.rtf,” which contains malicious binary objects.
One object is a 64-bit DLL file, “AdobeID.pdf,” extracted to the %temp% folder, while another exploits CVE-2017-11882 via crafted equation data, triggering a buffer overflow in EQNEDT32.EXE.
According to the Report, this leads to the execution of the DLL via rundll32.exe, with a crafted WinExec() API call facilitating the process.
The DLL establishes persistence by adding a registry key under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, ensuring it runs on system startup.
It then downloads an encrypted payload disguised as a PNG file from a malicious URL, decrypts it using a hardcoded key (“H1OX2WsqMLPKvGkQ”), and reveals the fileless FormBook executable.
To evade detection, the malware uses process hollowing, injecting itself into a legitimate process like “ImagingDevices.exe” under Windows Photo Viewer.
By creating a suspended process with specific CreationFlags (e.g., CREATE_SUSPENDED), mapping the decrypted FormBook into its memory via NtMapViewOfSection(), and adjusting thread context with Wow64SetThreadContext(), the malware runs stealthily, avoiding traditional file-based detection.
This intricate chain from phishing to payload deployment highlights the attackers’ focus on evasion and persistence, making this variant particularly dangerous.
Fortinet’s protections, including AntiSPAM, Web Filtering, IPS, and AntiVirus services, have already flagged and mitigated this threat through signatures like “MSWord/Formbook.9184!tr” and by blocking associated malicious URLs and DNS requests.
Users are urged to remain vigilant and update their systems to defend against such advanced threats.
Indicators of Compromise (IOCs)
| Type | Value |
|---|---|
| URL | hxxps://www2[.]0zz0[.]com/2025/02/02/10/709869215.png |
| order0087.docx SHA-256 | 93CF566C0997D5DCD1129384420E4CE59764BD86FDABAAA8B74CAF5318BA9184 |
| Algeria.rtf SHA-256 | 7C66E3156BBE88EC56294CD2CA15416DD2B18432DEEDC024116EA8FBB226D23B |
| AdobeID.pdf SHA-256 | 2E73B32D2180FD06F5142F68E741DA1CFF1C5E96387CEBD489AD78DE18840A56 |
| Decrypted FormBook SHA-256 | 6AC778712DFFCE48B51850AC34A846DA357BE07328B00D0B629EC9B2F1C37ECE |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
