Infostealer Malware FormBook Spread via Phishing Campaign – Part I

SUMMARY :

A phishing campaign delivering a malicious Word document exploiting CVE-2017-11882 was observed spreading a new FormBook variant. The campaign tricks recipients into opening an attached document, which extracts a 64-bit DLL file and exploits the vulnerability to execute it. The DLL acts as a downloader and installer for FormBook, establishing persistence and downloading an encrypted payload disguised as a PNG file. The payload is decrypted and injected into a legitimate process using process hollowing techniques. This fileless variant of FormBook aims to evade detection by keeping the malware entirely in memory. The analysis covers the initial phishing email, exploitation process, payload download and decryption, and the sophisticated injection techniques used to deploy FormBook.

OPENCTI LABELS :

phishing,process hollowing,infostealer,formbook,cve-2017-11882,fileless malware,microsoft equation editor


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Infostealer Malware FormBook Spread via Phishing Campaign – Part I