Jump to content
Login new information ×
Login new information
  • Security & Privacy News

    FormBook Abuses New Zero-Day Vulnerability in Office 365

    aum

    By aum,
    Published Date:

    • 544 views
    • 2 minutes
     Share
    • 544 views
    • 2 minutes

    Recently, a new malware campaign has been discovered using a new version of the FormBook malware. The recent variant, identified by both Microsoft and Trend Micro, exploits a recently discovered zero-day vulnerability in Office 365.

     

    The new version of FormBook


    For a long time, FormBook has been known for exploiting the CVE- 2017-0199 flaw, but the recent versions of the malware are updated to abuse a recent Office 365 zero-day vulnerability (CVE-2021-40444).  

     

    • FormBook developers have re-written their original exploit and used the initial codebase to deploy Cobalt Strike beacons.
    • In the ongoing effort, FormBook uses a different ‘Target’ format inside the document[.]xml[.]rels. This new format is meant to bypass detections with the use of Target options.
    • The vulnerability can be exploited even if the URL is jumbled up using directory traversal paths and empty options for Target. Moreover, after exploitation, Word sends a request to the server as the network capture.
    • FormBook developers have also added an additional obfuscation mechanism for the exploit code to provide additional protection. It has added two calls to a function for anti-debugging behavior to prevent reverse engineering.

     

    The attack chain 


    The campaign uses an email laden with a malicious Word document attachment as an initial attack vector. Two layers of PowerShell scripts are used to deploy the FormBook malware. 

     

    • The first stage downloads the second one, which is saved as an attachment hosted on Discord. This is possibly done to bypass network protection.
    • The next stage is downloaded from Discord (using an obfuscated URL). This downloaded attachment is the second PowerShell layer (formatted in Base64).
    • The final version deployed in the recent campaign is similar to that used in earlier campaigns as well. The version is identified as FormBook version 4.1.

     

    Conclusion


    Zero-day flaws are already popular among threat actors and abusing those usually has severe consequences. Therefore, experts suggest following a proper patch management program and using reliable anti-malware solutions.

     

    Source

     Share
    Go to news

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...