EXECUTIVE SUMMARY:
A phishing campaign has been observed distributing a malicious Word document that exploits the CVE-2017-11882 vulnerability in Microsoft Equation Editor to deliver a new variant of FormBook. This malware is primarily designed to steal sensitive information from compromised systems, including credentials, keystrokes, screenshots, and clipboard data. It is delivered through an email disguised as a sales order, encouraging the recipient to open an attached document that, when opened, triggers the exploitation of the CVE-2017-11882 vulnerability, resulting in the execution of FormBook.
The phishing email contains a ZIP archive with an embedded Word document, which, upon opening, triggers the exploitation of the CVE-2017-11882 vulnerability. This vulnerability allows remote code execution by exploiting crafted equation data parsed by the Equation Editor in Microsoft Word. After exploiting vulnerability, the attacker executes a 64-bit DLL file, disguised as "AdobeID.pdf," which is extracted to the victim’s system. This DLL acts as a downloader, retrieving and decrypting the Formbook payload from a remote server. The Formbook malware is executed via a sophisticated process injection technique, specifically through process hollowing, where the malware is injected into a legitimate system process, "ImagingDevices.exe," to evade detection. The malware is entirely executed in memory, ensuring it avoids writing to disk and remains undetected by many security measures.
This phishing campaign exemplifies advanced malware delivery techniques, leveraging a known vulnerability and fileless execution to bypass security measures. The FormBook malware, once deployed, can steal sensitive information from the victim's system, including credentials, keystrokes, and screenshots. It should ensure their security solutions are up-to-date, particularly those protecting against CVE-2017-11882, phishing attempts, and malware such as FormBook. It provides robust protections against this campaign, including antivirus, anti-phishing, and intrusion prevention measures, effectively defending users from these types of attacks.
THREAT PROFILE:
| Tactic | Technique Id | Technique |
| Initial Access | T1566 | Phishing |
| Execution | T1203 | Exploitation for Client Execution |
| T1059 | Command and Scripting Interpreter | |
| Persistence | T1547 | Boot or Logon Autostart Execution |
| Defense Evasion | T1055 | Process Injection |
| T1140 | Deobfuscate/Decode Files or Information | |
| T1036 | Masquerading | |
| T1218 | System Binary Proxy Execution | |
| Collection | T1056 | Input Capture |
| T1113 | Screen Capture | |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
REFERENCES:
The following reports contain further technical details: