Recently, a new malware campaign has been discovered using a new version of the FormBook malware. The recent variant, identified by both Microsoft and Trend Micro, exploits a recently discovered zero-day vulnerability in Office 365.
The new version of FormBook
For a long time, FormBook has been known for exploiting the CVE- 2017-0199 flaw, but the recent versions of the malware are updated to abuse a recent Office 365 zero-day vulnerability (CVE-2021-40444).
FormBook developers have re-written their original exploit and used the initial codebase to deploy Cobalt Strike beacons.
In the ongoing effort, FormBook uses a different ‘Target’ format inside the document[.]xml[.]rels. This new format is meant to bypass detections with the use of Target options.
The vulnerability can be exploited even if the URL is jumbled up using directory traversal paths and empty options for Target. Moreover, after exploitation, Word sends a request to the server as the network capture.
FormBook developers have also added an additional obfuscation mechanism for the exploit code to provide additional protection. It has added two calls to a function for anti-debugging behavior to prevent reverse engineering.
The attack chain
The campaign uses an email laden with a malicious Word document attachment as an initial attack vector. Two layers of PowerShell scripts are used to deploy the FormBook malware.
The first stage downloads the second one, which is saved as an attachment hosted on Discord. This is possibly done to bypass network protection.
The next stage is downloaded from Discord (using an obfuscated URL). This downloaded attachment is the second PowerShell layer (formatted in Base64).
The final version deployed in the recent campaign is similar to that used in earlier campaigns as well. The version is identified as FormBook version 4.1.
Zero-day flaws are already popular among threat actors and abusing those usually has severe consequences. Therefore, experts suggest following a proper patch management program and using reliable anti-malware solutions.