Formbook Malware Campaign Targets Organizations with Advanced Phishing Techniques

Severity: High (Score: 71.0)

Sources: Scworld, Infosecurity-Magazine

Summary

Two phishing campaigns have been identified targeting organizations in Greece, Spain, Slovenia, Bosnia, Croatia, and several South American countries, aiming to deliver the Formbook infostealer malware. The first campaign employs DLL sideloading via a RAR file containing three DLLs and a Windows executable, while the second campaign uses obfuscated JavaScript and PDF files to conceal the malware payload. When executed, the JavaScript drops image files that execute PowerShell commands, ultimately launching a custom malware loader that deploys Formbook. This malware is designed to steal sensitive information, including login credentials and browser data. Formbook has been active since 2016 and continues to pose a significant threat. Security researchers from WatchGuard recommend monitoring for suspicious email attachments and anomalous system behaviors to mitigate risks. The campaigns highlight the evolving tactics used by cybercriminals to bypass detection mechanisms. Key Points: • Formbook malware is being delivered through two distinct phishing campaigns. • The first campaign uses DLL sideloading, while the second employs obfuscated JavaScript. • Organizations in multiple countries are at risk, necessitating enhanced monitoring and detection efforts.

Key Entities

• Malware (attack_type)
• Phishing (attack_type)
• Croatia (country)
• Greece (country)
• Slovenia (country)
• Spain (country)
• AsyncRAT (malware)
• FormBook (malware)
• Remcos (malware)
• Smokeloader (malware)
• XWorm (malware)
• T1027 - Obfuscated Files Or Information (mitre_attack)
• T1059.001 - PowerShell (mitre_attack)
• T1059.007 - JavaScript (mitre_attack)
• T1566.001 - Spearphishing Attachment (mitre_attack)
• T1574 - Hijack Execution Flow (mitre_attack)
• Windows (platform)
• PowerShell (tool)