Infostealer Malware FormBook Spread via Phishing Campaign – Part I

April 22, 2025, 10:20 p.m.

Description

A phishing campaign delivering a malicious Word document exploiting CVE-2017-11882 was observed spreading a new FormBook variant. The campaign tricks recipients into opening an attached document, which extracts a 64-bit DLL file and exploits the vulnerability to execute it. The DLL acts as a downloader and installer for FormBook, establishing persistence and downloading an encrypted payload disguised as a PNG file. The payload is decrypted and injected into a legitimate process using process hollowing techniques. This fileless variant of FormBook aims to evade detection by keeping the malware entirely in memory. The analysis covers the initial phishing email, exploitation process, payload download and decryption, and the sophisticated injection techniques used to deploy FormBook.

External References

https://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i
https://otx.alienvault.com/pulse/6807bc8539bf1b2aa4d2ff28
Tags
phishing
infostealer
formbook
CVE-2017-11882
process hollowing
2025-04-22
fileless malware
microsoft equation editor

Date

  • Created: April 22, 2025, 3:57 p.m.
  • Published: April 22, 2025, 3:57 p.m.
  • Modified: April 22, 2025, 10:20 p.m.

Indicators

  • 93cf566c0997d5dcd1129384420e4ce59764bd86fdabaaa8b74caf5318ba9184
  • 7c66e3156bbe88ec56294cd2ca15416dd2b18432deedc024116ea8fbb226d23b
  • 6ac778712dffce48b51850ac34a846da357be07328b00d0b629ec9b2f1c37ece
  • 2e73b32d2180fd06f5142f68e741da1cff1c5e96387cebd489ad78de18840a56
  • www2.0zz0.com
  • https://www2.0zz0.com/2025/02/02/10/709869215.xn--png-9o0a
  • https://www2.0zz0.com/2025/02/02/10/709869215.png
Download all indicators here!

Attack Patterns

  • FormBook

Linked vulnerabilities

CVE-2017-11882

None
Published: