Cyber Security News

Hackers Exploit Weaponized Word Docs to Steal Windows Login Credentials

A sophisticated phishing campaign has been uncovered by Fortinet’s FortiGuard Labs, targeting Windows users with malicious Word documents designed to steal sensitive data.

Disguised as legitimate sales orders, these emails trick recipients into opening attachments that exploit a known vulnerability, CVE-2017-11882, in Microsoft Equation Editor 3.0.

This remote code execution flaw allows attackers to execute harmful code on the victim’s system, ultimately deploying a new variant of the FormBook information-stealing malware.

FormBook is notorious for harvesting credentials, keystrokes, screenshots, and clipboard data, posing a severe threat to personal and organizational security.

Technical Breakdown of the Attack Chain and FormBook Deployment

The attack begins with a phishing email flagged by FortiMail as containing a virus, yet crafted to appear urgent and legitimate, prompting users to open the attached Word document, often named something innocuous like “order0087.docx.”

 Login Credentials Login Credentials
Workflow diagram of this FormBook campaign

Saved in OOXML format, the document embeds an obfuscated RTF file, “Algeria.rtf,” which contains malicious binary objects.

One object is a 64-bit DLL file, “AdobeID.pdf,” extracted to the %temp% folder, while another exploits CVE-2017-11882 via crafted equation data, triggering a buffer overflow in EQNEDT32.EXE.

According to the Report, this leads to the execution of the DLL via rundll32.exe, with a crafted WinExec() API call facilitating the process.

The DLL establishes persistence by adding a registry key under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, ensuring it runs on system startup.

It then downloads an encrypted payload disguised as a PNG file from a malicious URL, decrypts it using a hardcoded key (“H1OX2WsqMLPKvGkQ”), and reveals the fileless FormBook executable.

To evade detection, the malware uses process hollowing, injecting itself into a legitimate process like “ImagingDevices.exe” under Windows Photo Viewer.

By creating a suspended process with specific CreationFlags (e.g., CREATE_SUSPENDED), mapping the decrypted FormBook into its memory via NtMapViewOfSection(), and adjusting thread context with Wow64SetThreadContext(), the malware runs stealthily, avoiding traditional file-based detection.

This intricate chain from phishing to payload deployment highlights the attackers’ focus on evasion and persistence, making this variant particularly dangerous.

Inner view of the Word document

Fortinet’s protections, including AntiSPAM, Web Filtering, IPS, and AntiVirus services, have already flagged and mitigated this threat through signatures like “MSWord/Formbook.9184!tr” and by blocking associated malicious URLs and DNS requests.

Users are urged to remain vigilant and update their systems to defend against such advanced threats.

Indicators of Compromise (IOCs)

TypeValue
URLhxxps://www2[.]0zz0[.]com/2025/02/02/10/709869215.png
order0087.docx SHA-25693CF566C0997D5DCD1129384420E4CE59764BD86FDABAAA8B74CAF5318BA9184
Algeria.rtf SHA-2567C66E3156BBE88EC56294CD2CA15416DD2B18432DEEDC024116EA8FBB226D23B
AdobeID.pdf SHA-2562E73B32D2180FD06F5142F68E741DA1CFF1C5E96387CEBD489AD78DE18840A56
Decrypted FormBook SHA-2566AC778712DFFCE48B51850AC34A846DA357BE07328B00D0B629EC9B2F1C37ECE

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

1 day ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

1 day ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

1 day ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

1 day ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

1 day ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

1 day ago