Recently, a new malware campaign has been discovered using a new version of the FormBook malware. The recent variant, identified by both Microsoft and Trend Micro, exploits a recently discovered zero-day vulnerability in Office 365.
The new version of FormBook
For a long time, FormBook has been known for exploiting the CVE- 2017-0199 flaw, but the recent versions of the malware are updated to abuse a recent Office 365 zero-day vulnerability (CVE-2021-40444).
- FormBook developers have re-written their original exploit and used the initial codebase to deploy Cobalt Strike beacons.
- In the ongoing effort, FormBook uses a different ‘Target’ format inside the document[.]xml[.]rels. This new format is meant to bypass detections with the use of Target options.
- The vulnerability can be exploited even if the URL is jumbled up using directory traversal paths and empty options for Target. Moreover, after exploitation, Word sends a request to the server as the network capture.
- FormBook developers have also added an additional obfuscation mechanism for the exploit code to provide additional protection. It has added two calls to a function for anti-debugging behavior to prevent reverse engineering.
The attack chain
The campaign uses an email laden with a malicious Word document attachment as an initial attack vector. Two layers of PowerShell scripts are used to deploy the FormBook malware.
- The first stage downloads the second one, which is saved as an attachment hosted on Discord. This is possibly done to bypass network protection.
- The next stage is downloaded from Discord (using an obfuscated URL). This downloaded attachment is the second PowerShell layer (formatted in Base64).
- The final version deployed in the recent campaign is similar to that used in earlier campaigns as well. The version is identified as FormBook version 4.1.
Conclusion
Zero-day flaws are already popular among threat actors and abusing those usually has severe consequences. Therefore, experts suggest following a proper patch management program and using reliable anti-malware solutions.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_403886788.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_432839689.jpg)
