How a Malicious Excel File (CVE-2017-0199) Delivers the FormBook Payload

SUMMARY :

A high-severity phishing campaign targeting old version Office Application users exploits CVE-2017-0199 vulnerability to deliver FormBook malware. The attack begins with an email containing a malicious Excel attachment. When opened, it triggers the vulnerability, downloading and executing a malicious HTA file. This file then downloads and runs 'sihost.exe', which extracts and decodes 'springmaker', ultimately revealing the FormBook payload. The malware aims to capture sensitive data, including login credentials, keystrokes, and clipboard information. Despite being an 8-year-old vulnerability with available patches, organizations remain vulnerable due to challenges in vulnerability management and remediation. The attack process involves multiple stages of encryption and anti-debugging techniques to evade detection.

OPENCTI LABELS :

phishing,formbook,autoit,cve-2017-0199,hta,information-stealer


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


How a Malicious Excel File (CVE-2017-0199) Delivers the FormBook Payload