Delaware, USA – April 12, 2018 – Researchers from Menlo Security discovered a campaign directed against the information services and financial sectors in the US and the Middle East. Attackers spread FormBook infostealer via malicious Microsoft Word documents. Researchers believe that adversaries behind the campaign are very experienced since their malware delivery method allows to bypass antivirus solutions and sandboxes. FormBook infostealer is not very sophisticated but doing its tasks well, any hacker group can acquire it at Darknet forums. Last fall, several groups “rented” this malware for campaigns against the defense and aerospace industries, researchers failed to link these campaigns with known hacker groups. Now it’s also impossible to attribute current campaign to specific threat actors, but the delivery method is similar the one used by Cobalt hacker group.
Attackers do not use macros to deliver FormBook, instead, documents contain Framesets, which send HTTP requests to management servers after opening the document and download malicious RTF, which in turn saves and executes next-stage downloader to get and install FormBook. In this attack adversaries exploit the CVE-2017-8570 vulnerability in MS Word that was patched in July last year.
To protect against the attack, you need to make sure that your organization has the latest updates for MS Office installed. For the timely detection of such multi-stage attacks before the attackers inflict serious damage, you can use your SIEM and the APT Framework, which leverages the Cyber Kill Chain methodology to uncover advanced threats.