Formbook Phishing Campaign with old Payloads

Tags

External References

• https://www.seqrite.com/
• https://otx.alienvault.com/

Description

A recent phishing campaign has been observed delivering Formbook stealers through email attachments. The malware uses multiple stages and steganography to hide malicious files inside images. The infection chain involves three stages before the final payload: Purchase Order.exe, Arthur.dll, and Montero.dll. The attack begins with a spear-phishing email containing a purchase order and a zip file attachment. The malware employs various evasion techniques, including process hollowing, mutex creation, and adding itself to exclusion paths. It also creates scheduled tasks for persistence and can download additional payloads or receive commands from the threat actor's C2 server. The final payload is a highly obfuscated 32-bit MASM compiled binary.

Date