Formbook is an information stealer that has been active since early 2016. My previous diary about Formbook was in February 2018, and not much has changed since then. We still see malicious spam (malspam) pushing Formbook through malicious attachments. A quick check through Twitter or URLhaus reveals several items tagged as Formbook in recent weeks.
Today’s diary reviews a recent Formbook infection from Tuesday 2019-11-05.
The email I found was very generic. It had an attached RTF document designed to exploit vulnerable versions of Microsoft Office when opened in Microsoft Word.
The attached RTF document was Quotation.doc and used an exploit, probably CVE-2017-11882 to infect a vulnerable computer with Formbook. It was filled with German text followed by random characters used for the exploit.
The infected Windows host
The infected Windows host had a Windows executable file for Formbook made persitent through a Windows registry entry. Under the user’s AppData\Roaming directory, the infected Windows host had a folder that included a screenshot of the desktop, and it included text files with stolen usernames and password information.
The infection traffic
Infection traffic was typical for Formbook, very similar to patters we saw in my previous diary about Formbook.
Any.Run’s sandbox analysis of the RTF document and the resulting Formbook infection can be found here.
brad [at] malware-traffic-analysis.net