Hackers Exploit Weaponized Word Docs to Steal Windows Login Credentials

A sophisticated phishing campaign has been uncovered by Fortinet’s FortiGuard Labs, targeting Windows users with malicious Word documents designed to steal sensitive data.

Disguised as legitimate sales orders, these emails trick recipients into opening attachments that exploit a known vulnerability, CVE-2017-11882, in Microsoft Equation Editor 3.0.

This remote code execution flaw allows attackers to execute harmful code on the victim’s system, ultimately deploying a new variant of the FormBook information-stealing malware.

FormBook is notorious for harvesting credentials, keystrokes, screenshots, and clipboard data, posing a severe threat to personal and organizational security.

Technical Breakdown of the Attack Chain and FormBook Deployment

The attack begins with a phishing email flagged by FortiMail as containing a virus, yet crafted to appear urgent and legitimate, prompting users to open the attached Word document, often named something innocuous like “order0087.docx.”

Saved in OOXML format, the document embeds an obfuscated RTF file, “Algeria.rtf,” which contains malicious binary objects.

One object is a 64-bit DLL file, “AdobeID.pdf,” extracted to the %temp% folder, while another exploits CVE-2017-11882 via crafted equation data, triggering a buffer overflow in EQNEDT32.EXE.

According to the Report, this leads to the execution of the DLL via rundll32.exe, with a crafted WinExec() API call facilitating the process.

The DLL establishes persistence by adding a registry key under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, ensuring it runs on system startup.

It then downloads an encrypted payload disguised as a PNG file from a malicious URL, decrypts it using a hardcoded key (“H1OX2WsqMLPKvGkQ”), and reveals the fileless FormBook executable.

To evade detection, the malware uses process hollowing, injecting itself into a legitimate process like “ImagingDevices.exe” under Windows Photo Viewer.

By creating a suspended process with specific CreationFlags (e.g., CREATE_SUSPENDED), mapping the decrypted FormBook into its memory via NtMapViewOfSection(), and adjusting thread context with Wow64SetThreadContext(), the malware runs stealthily, avoiding traditional file-based detection.

This intricate chain from phishing to payload deployment highlights the attackers’ focus on evasion and persistence, making this variant particularly dangerous.

Fortinet’s protections, including AntiSPAM, Web Filtering, IPS, and AntiVirus services, have already flagged and mitigated this threat through signatures like “MSWord/Formbook.9184!tr” and by blocking associated malicious URLs and DNS requests.

Users are urged to remain vigilant and update their systems to defend against such advanced threats.

Indicators of Compromise (IOCs)

Type	Value
URL	hxxps://www2[.]0zz0[.]com/2025/02/02/10/709869215.png
order0087.docx SHA-256	93CF566C0997D5DCD1129384420E4CE59764BD86FDABAAA8B74CAF5318BA9184
Algeria.rtf SHA-256	7C66E3156BBE88EC56294CD2CA15416DD2B18432DEEDC024116EA8FBB226D23B
AdobeID.pdf SHA-256	2E73B32D2180FD06F5142F68E741DA1CFF1C5E96387CEBD489AD78DE18840A56
Decrypted FormBook SHA-256	6AC778712DFFCE48B51850AC34A846DA357BE07328B00D0B629EC9B2F1C37ECE

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!