Threat Research

Infostealer Malware FormBook Spread via Phishing Campaign – Part I

Fortinet
Infostealer Malware FormBook Spread via Phishing Campaign – Part I

This article discusses a phishing campaign that delivered malicious Word documents exploiting CVE-2017-11882 to install a variant of Formbook, an information-stealing malware targeting Windows systems. The campaign involves a well-crafted email tricking users into opening attachments that execute the malware, stealing sensitive user data via process hollowing.
Affected: Windows Users, Cybersecurity Sector

Keypoints :

  • A phishing campaign spreads a malicious Word document containing crafted data.
  • The campaign exploits vulnerability CVE-2017-11882 in Microsoft Equation Editor.
  • A new variant of Formbook malware is delivered, which steals sensitive user data.
  • The malware evades detection by using fileless techniques through process hollowing.
  • Fortinet protections are in place against this campaign including AntiSPAM, Web Filtering, and IPS services.
  • Real-time anti-phishing technologies help detect and mitigate threats from this campaign.

MITRE Techniques :

  • T1203 – Exploit Public-Facing Application: The campaign exploits CVE-2017-11882 vulnerability.
  • T1059 – Command and Scripting Interpreter: Uses command-line calls to run malicious DLLs and scripts.
  • T1055 – Process Injection: Implements process hollowing to run the Formbook malware in memory.
  • T1056 – Input Capture: Formbook captures sensitive data including keystrokes and clipboard information.

Indicator of Compromise :

  • [URL] hxxps://www2[.]0zz0[.]com/2025/02/02/10/709869215.png
  • [SHA-256] [order0087.docx] 93CF566C0997D5DCD1129384420E4CE59764BD86FDABAAA8B74CAF5318BA9184
  • [SHA-256] [Algeria.rtf] 7C66E3156BBE88EC56294CD2CA15416DD2B18432DEEDC024116EA8FBB226D23B
  • [SHA-256] [AdobeID.pdf] 2E73B32D2180FD06F5142F68E741DA1CFF1C5E96387CEBD489AD78DE18840A56
  • [SHA-256] [Decrypted FormBook from PNG file] 6AC778712DFFCE48B51850AC34A846DA357BE07328B00D0B629EC9B2F1C37ECE

Full Story: https://feeds.fortinet.com/~/917119400/0/fortinet/blog/threat-research~Infostealer-Malware-FormBook-Spread-via-Phishing-Campaign-%e2%80%93-Part-I