- The new FormBook campaign targets the retail and hospitality industries both within and outside the US.
- This new campaign uses a malware-friendly file hosting service for distributing the FormBook malware.
Researchers recently spotted a new campaign distributing the FormBook info-stealer malware. This new campaign targets the retail and hospitality industries both within and outside the US. Moreover, researchers observed a file hosting service being used in the new campaign for distributing the FormBook info-stealer.
Researchers noted that even though FormBook has been active since 2016, this new campaign has spiked in numbers due to use of the new file hosting service called DropMyBin. Reportedly, the file hosting service is discussed and shared in underground hacking forums as a recommended service for hosting and serving malware.
RTF documents used as droppers
FormBook usually propagates via a phishing email containing a malicious attachment, either Microsoft Office document or a PDF file.
In this campaign, a rich text format (RTF) document is used to leverage recent Word vulnerabilities as droppers, likely because it is difficult for typical security solutions to detect.
“In this specific attack wave, initial infection is carried out by means of a malicious RTF document, which exploits several vulnerabilities in Microsoft Office (CVE-2012-0158 – Office ActiveX Vulnerability, CVE-2017-11882 – the popular Equation Editor Vulnerability),” researchers explained in a blog.
- Once the payload is dropped and executed, it copies itself and then scans the system for stored passwords in browsers and various other applications.
- It then collects the information and sends the stolen information back to the C&C server.
- In addition to scanning browsers for user-typed passwords and stealing them, the malware also takes a screenshot of the victim’s desktop and sends back to C&C server.
- It also acts as a keylogger and maintains a log of the user’s keystrokes.
“This time around, [FormBook] is using a new malware-friendly file hosting service, which seems to be quickly gaining popularity among other threat actors. We strongly suggest employing a zero-trust policy with respect to the service DropMyBin until other information becomes available,” researchers wrote.