Recently, the Malwarebytes Threat Intelligence Team found a Formbook campaigntargeting oil and gas companies. The campaign they discovered was delivered by a targeted email that contained two attachments, one is a pdf file and the other an Excel document.
Formbook
The Formbook malware is an information stealer that is in use by many threat actors. Formbook has been around since 2016 and is readily available on dark webmarket places.
The email
The email pretends to be from Saudi Aramco, a Saudi Arabian public petroleum and natural gas company, and one of the largest companies in the world by revenue. The email asks the receiver to provide an offer for refinery renovations that requires a swift response.
It read:
Dear Sir,Warm Greetings From Saudi Aramco.We request you to furnish your best, complete, exclusive and competitive techno-commercial offer to our esteemed company for the supply of below mentioned item(s) on or before 10-March-2022.Your offer should conform to all the specifications (FIT, FORM and FUNCTION) mentioned in our requisition including the following information:1. Manufacturer's Name and Country of Origin.2. Latest Delivery Date and Shipment Terms.3. Estimated Weight / Volume or Dimensions of the quoted item(s) / Final Package.4. Cost of attestation of documents from chamber of commerce shall be borne by the Supplier.5. Warranty Period.6. Product Specifications / Data Sheet, Drawings, and Catalog (if available)7. Payment Terms8. Partial Order acceptable or not acceptable.9. Offer Validity: 90 Days. END USER: SEC (Saudi Arabian Oil Company)End Destination : Saudi Arabia If you need any more information, please don't hesitate to contact us. Please acknowledge the email along with the attachment (download below) and confirm your willingness to quoteBest regards,
The attachments
The attached pdf file contained an embedded Excel object. The embedded object downloaded a remote template that exploits CVE-2017-11882to download and execute the FormBook malware. This vulnerability exists in Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 and allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory. If the current user is logged on with administrative user rights, this means an attacker could take control of the affected system.
The attached Excel document has the same functionality as the embedded excel object in the pdf file.
IoCs for this campaign
Attachments
c421a4309d8fe9fa9bdfe1bde69ccce3
f260e184fb067d3b646af3574e901c05
da4fcf9512dbdf5fa8a6dc88a646100e
7f5da76f29cf8238ed1f944b1d0e587a
bb65278dd77988f8a7bad219b524384c
C2s
czuj.info
vzddc.com
habitatsaludable.website
modhotels.store
maxxflush.com
Malwarebytes
Malwarebytes users were protected against this campaign, because the Malwarebytes Anti-Exploit module blocked the execution of the malware.
Stay safe, everyone!
