Formbook Phishing Campaign with old Payloads
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A recent phishing campaign has been observed delivering Formbook stealers through email attachments. The malware uses multiple stages and steganography to hide malicious files inside images. The infection chain involves three stages before the final payload: Purchase Order.exe, Arthur.dll, and Montero.dll. The attack begins with a spear-phishing email containing a purchase order and a zip file attachment. The malware employs various evasion techniques, including process hollowing, mutex creation, and adding itself to exclusion paths. It also creates scheduled tasks for persistence and can download additional payloads or receive commands from the threat actor's C2 server. The final payload is a highly obfuscated 32-bit MASM compiled binary.
OPENCTI LABELS :
phishing,steganography,process-hollowing,xml,formbook stealer
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Formbook Phishing Campaign with old Payloads