Threat Management, Malware, Security Strategy, Plan, Budget

Remotely hosted objects used to spread Formbook malware

Cybercriminals are once again abusing trusted applications, such as Microsoft Office, to launch multi-stage attacks inside malicious documents to deliver Formbook malware.

The malware enables keylogging, screenshot grabbing, the ability to download malware and to exfiltrate data, according to the Menlo Security Analysis of a Multi-stage Document Attack report.

Malicious attachments are sent via email and attackers use remotely-hosted malicious objects and researchers noted the absence of active code or shellcode in the first stage malicious document and that the attack relies on a remotely-hosted malicious object.

The lack of these elements enable the malware to bypass detection-based security devices as many of them rely on the presence of malicious code in order to detect potential threats, researchers said. Instead, the attack contains a malicious link which often won't be flagged, researchers said adding that technique combines known design behaviors in .docx and RTF, in with CVE-2017-8570, to drop and start the malicious executable on the endpoint.

The malware also leverages multiple tools, along with known design behaviors, exploits, and procedures to infect victims.

“If a victim opens the malicious first stage document, Microsoft Word makes an HTTP request to download the object pointed to by the URL and render it within the document,” researchers said in the report. “In the specific sample that Menlo Security Labs analyzed, the embedded URL was a shortened URL that redirects to another URL pointing to a malicious RTF file.”

The second stage of the attack is an RTF document that takes advantage of the design behaviors that occur in RTF documents, and uses dropped executable in the %TEMP% directory to accomplish half of the attack.

Overall, the methods expose large attack surfaces due to the various functionalities and capabilities that Microsoft Office supports. Researchers suspect an uptick in malicious objects, in which the malicious components are remotely hosted that to help in evading sandboxes and other detection methods.  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.