Author: Nathan Toporek
TLP: WHITE
On July 2, Infoblox observed a malicious email campaign that distributes Formbook malware via weaponized Rich Text Format (RTF) files. Emails in this campaign come from someone who appears to be interested in purchasing goods that the recipient might be selling.
Infoblox has reported on Formbook campaigns several times in the past.1,2,3,4 The campaigns usually leverage financial themes, last year also Coronavirus-related messaging, as well as other current topics to lure victims into opening malicious file attachments.
Formbook is a well-known infostealer and form-grabber malware, and it is sold as malware-as-a-service5 (MaaS) in underground forums. It can communicate with command and control (C&C) servers, and it has evasion capabilities, such as process hollowing, webform hijacking, keylogging, and clipboard monitoring.
In this campaign, the sender claims to be interested in various products and asks the target to check a list in an attached file. It is an RTF file that exploits CVE-2017-11882 to download and execute Formbook malware.6
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.
Endnotes
- https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–91
- https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–67
- https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–58
- https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–117
- https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/selling-formbook/
- https://nvd.nist.gov/vuln/detail/CVE-2017-11882
