Infostealer Malware FormBook Spread via Phishing Campaign – Part I

April 22, 2025, 10:20 p.m.

Description

A phishing campaign delivering a malicious Word document exploiting CVE-2017-11882 was observed spreading a new FormBook variant. The campaign tricks recipients into opening an attached document, which extracts a 64-bit DLL file and exploits the vulnerability to execute it. The DLL acts as a downloader and installer for FormBook, establishing persistence and downloading an encrypted payload disguised as a PNG file. The payload is decrypted and injected into a legitimate process using process hollowing techniques. This fileless variant of FormBook aims to evade detection by keeping the malware entirely in memory. The analysis covers the initial phishing email, exploitation process, payload download and decryption, and the sophisticated injection techniques used to deploy FormBook.

Date

  • Created: April 22, 2025, 3:57 p.m.
  • Published: April 22, 2025, 3:57 p.m.
  • Modified: April 22, 2025, 10:20 p.m.

Indicators

  • 93cf566c0997d5dcd1129384420e4ce59764bd86fdabaaa8b74caf5318ba9184
  • 7c66e3156bbe88ec56294cd2ca15416dd2b18432deedc024116ea8fbb226d23b
  • 6ac778712dffce48b51850ac34a846da357be07328b00d0b629ec9b2f1c37ece
  • 2e73b32d2180fd06f5142f68e741da1cff1c5e96387cebd489ad78de18840a56
  • www2.0zz0.com
  • https://www2.0zz0.com/2025/02/02/10/709869215.xn--png-9o0a
  • https://www2.0zz0.com/2025/02/02/10/709869215.png

Attack Patterns

Linked vulnerabilities