Formbook Phishing Campaign with old Payloads

Jan. 7, 2025, 4:36 p.m.

Description

A recent phishing campaign has been observed delivering Formbook stealers through email attachments. The malware uses multiple stages and steganography to hide malicious files inside images. The infection chain involves three stages before the final payload: Purchase Order.exe, Arthur.dll, and Montero.dll. The attack begins with a spear-phishing email containing a purchase order and a zip file attachment. The malware employs various evasion techniques, including process hollowing, mutex creation, and adding itself to exclusion paths. It also creates scheduled tasks for persistence and can download additional payloads or receive commands from the threat actor's C2 server. The final payload is a highly obfuscated 32-bit MASM compiled binary.

External References

https://www.seqrite.com/blog/formbook-phishing-campaign-analysis/
https://otx.alienvault.com/pulse/677d38cc16dc64ad227eb3d2
Tags
phishing
steganography
process-hollowing
2025-01-07
xml
formbook stealer

Date

  • Created: Jan. 7, 2025, 2:23 p.m.
  • Published: Jan. 7, 2025, 2:23 p.m.
  • Modified: Jan. 7, 2025, 4:36 p.m.

Indicators

  • b22bdf76891cde5dd78a3f1dbc7ad67543f9d66db4a959bf3dc70536d8d1903b
Download all indicators here!

Attack Patterns

  • Formbook