End-of-Year PTO: Days Off and Data Exfiltration with Formbook

Tags

External References

• https://securityboulevard.com/
• https://otx.alienvault.com/

Description

A phishing campaign disguised as an end-of-year leave approval notice has been intercepted by the Cofense Phishing Defense Center. The malicious email, masquerading as HR communication, tricks recipients into clicking a link that leads to the deployment of FormBook malware. The email contains red flags such as an external sender warning and a SendGrid-wrapped URL. The malware, an AutoIt compiled executable, uses process injection techniques to evade detection and execute its payload. FormBook performs reconnaissance, injects code into svchost.exe and Utilman.exe, and carries out credential harvesting, keylogging, and data exfiltration. The attack exploits the urgency of year-end leave scheduling to infiltrate organizations and steal sensitive information.

Date