Two phishing campaigns, each using a different stealthy infection technique, are targeting organizations in attacks which aim to deliver data stealing malware to devices running on Microsoft Windows.
The goal of the campaigns is to install Formbook, a notorious form of infostealer which has been available as part of malware-as-a-service schemes since 2016.
The infostealer malware is designed to gather sensitive information including login credentials, browser data and screenshots. It is also equipped with advanced evasion techniques to avoid detection.
Ten years on from its initial release, Formbook is still an active cyber threat to organizations across a range of industries, with no sign of slowing down.
Cybersecurity threat researchers at WatchGuard have detailed at least two new Formbook campaigns.
As detailed in a blog post published on April 20, Formbook campaigns have been spotted targeting companies in Greece, Spain, Slovenia, Bosnia, Croatia and a range of countries in South America. The phishing lures appear to be disguised as common forms of business emails.
“What makes these campaigns especially noteworthy is not just the malware itself, but the diversity of methods used to evade detection and abuse legitimate software and trusted system processes,” said Watchguard.
DLL Sideloading and Obfuscated JavaScript
Both Formbook campaigns begin with phishing emails, but use different methods to hide and deliver the malware payload: one uses dynamic-link library (DLL) sideloading and while the other uses obfuscated JavaScript
The first campaign begins with a phishing email which uses an RAR file containing four files: three of them are DLLs, and one of them is a Windows Executable file (EXE).
By using DLL sideloading, a technique deployed by attackers which is used to execute malicious code by tricking a program into loading a harmful DLL instead of a legitimate one, the attackers can run a malicious payload while avoiding the system identifying it as malicious or unusual.
Meanwhile, a second campaign utilizes a different tactic for delivering Formbook malware. The initial stage is once again a phishing email, but this time the malicious payload is hidden inside JavaScript and PDF files, which uses obfuscated code to help it hide from detection.
When executed, the JavaScript drops two image files, which in turn drop PowerShell commands, obfuscated within long strings of code, which are ultimately used to run a Windows executable, which deploys a custom malware loader.
Forms of malware which have previously been identified as being distributed by this loader include Remcos, XWorm, AsyncRAT, and SmokeLoader. In this instance it is being used to distribute the same Formbook malware which is delivered by the first phishing campaign.
“Security teams should monitor for suspicious archive-based email attachments, anomalous DLL loading behavior, PowerShell execution tied to user-opened attachments, and signs of manual DLL mapping or direct syscall activity in memory,” advised WatchGuard.
“By correlating these behaviors across the attack chain, organizations can improve their ability to detect and stop FormBook infections before sensitive data is compromised,” the company added.
