Researchers recently spotted a new campaign distributing the FormBook info-stealer malware. This new campaign targets the retail and hospitality industries both within and outside the US. Moreover, researchers observed a file hosting service being used in the new campaign for distributing the FormBook info-stealer.
Researchers noted that even though FormBook has been active since 2016, this new campaign has spiked in numbers due to use of the new file hosting service called DropMyBin. Reportedly, the file hosting service is discussed and shared in underground hacking forums as a recommended service for hosting and serving malware.
RTF documents used as droppers
FormBook usually propagates via a phishing email containing a malicious attachment, either Microsoft Office document or a PDF file.
In this campaign, a rich text format (RTF) document is used to leverage recent Word vulnerabilities as droppers, likely because it is difficult for typical security solutions to detect.
“In this specific attack wave, initial infection is carried out by means of a malicious RTF document, which exploits several vulnerabilities in Microsoft Office (CVE-2012-0158 – Office ActiveX Vulnerability, CVE-2017-11882 – the popular Equation Editor Vulnerability),” researchers explained in a blog.
“This time around, [FormBook] is using a new malware-friendly file hosting service, which seems to be quickly gaining popularity among other threat actors. We strongly suggest employing a zero-trust policy with respect to the service DropMyBin until other information becomes available,” researchers wrote.