A malspam campaign in Italy uses Italian-language emails about unpaid invoices to deliver a 7Z archive containing a VBS script that decodes and drops an embedded executable. The loader decrypts a Base64/TripleDES-protected payload which installs the Formbook infostealer; CERT-AGID has published IoCs and a download JSON for detection. #Formbook #CERT-AGID
Keypoints
- Active malspam campaign across Italy distributing the Formbook infostealer.
- Emails pose as urgent unpaid-invoice notices and include a 7Z attachment named βLast reminder for overdue invoice.7zβ.
- The archive contains a VBS script that decodes an ObfuscatedData variable to recover a Base64-encoded executable.
- The recovered executable is a .NET loader that decrypts embedded data using an AesUtilities.DecryptData method which actually employs TripleDES.
- The final payload is identified as Formbook (sample seen on VirusTotal: d4881f5a43831fed7e0d6046e8f513712a88027ed58914d70c25817e46aa9185).
- CERT-AGID published IoCs and a downloadable JSON file to aid detection and sharing.
MITRE Techniques
- [T1203] Exploitation for Client Execution β Used to achieve execution of malicious code delivered via the VBS and loader (β. . .Execution (T1203): Exploits vulnerabilities in applications to execute malicious code.β)
- [T1003] Credential Access β The campaign aims to collect credentials through the Formbook infostealer (β. . .Credential Access (T1003): Collects user credentials through various methods.β)
- [T1041] Exfiltration Over Command and Control Channel β Exfiltration of stolen data is performed over a C2 channel (β. . .Exfiltration Over Command and Control Channel (T1041): Uses a command and control channel to exfiltrate data.β)
- [T1486] Data Encrypted for Impact β The actor encrypts data as part of payload handling or impact procedures (β. . .Data Encrypted for Impact (T1486): Encrypts data to disrupt access and demand ransom.β)
Indicators of Compromise
- [File hash] Formbook sample on VirusTotal β d4881f5a43831fed7e0d6046e8f513712a88027ed58914d70c25817e46aa9185
- [File names] Malicious attachments used in lures β Last reminder for overdue invoice.7z, Last reminder for overdue invoice.vbs
- [Download/IoC file] CERT-AGID IoC package β https://cert-agid.gov.it/wp-content/uploads/2024/11/formbook-12-11-2024.json
- [Domain/Source] Reporting and campaign details β cert-agid.gov.it (original advisory and IoC publication)
Read more: https://cert-agid.gov.it/news/studio-di-una-nuova-campagna-formbook-attiva-in-italia/