FormBook exploits a newly found zero-day vulnerability in Office 365


Image Courtesy: Bleeping Computer

A new malware campaign has just been identified that employs a new variant of the FormBook virus. The most current variation, found by both Microsoft and Trend Micro, takes use of a newly disclosed zero-day vulnerability in Office 365.

FormBook has long been known for exploiting the CVE-2017-0199 weakness, but newer versions of the malware have been modified to take use of a recent Office 365 zero-day vulnerability (CVE-2021-40444).

  • FormBook developers rewrote their original hack and deployed Cobalt Strike beacons using the original codebase.
  • FormBook utilises a distinct ‘Target’ format inside the document[.]xml[.]rels in the ongoing effort. With the usage of Target settings, this new format is intended to avoid detections.
  • Even if the URL is mixed up with directory traversal routes and empty Target parameters, the vulnerability may be exploited. Furthermore, as part of the network capture, Word makes a request to the server following exploitation.
  • To give extra security, FormBook developers have included an additional obfuscation method for the exploit code. It has introduced two anti-debugging calls to a function to avoid reverse engineering.

As an initial attack vector, the campaign employs an email containing a malicious Word document attachment. Moreover, The FormBook virus is deployed via two levels of PowerShell scripts.

The first step downloads the second, which is saved as a Discord attachment. This might be done to circumvent network security. The following stage is obtained from Discord (using an obfuscated URL). This is the second PowerShell layer that you have downloaded (formatted in Base64).The final version utilised in the latest campaign is identical to that used in previous campaigns. FormBook version 4.1 is the identified version.

Zero-day vulnerabilities are already popular with threat actors, and exploiting them can have serious repercussions. As a result, experts advise adopting a trustworthy anti-malware solution and adhering to a good patch management procedure.