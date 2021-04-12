Log in
Deep Analysis: New FormBook Variant Delivered in Phishing Campaign – Part I

04/12/2021 | 05:51pm EDT
share with twitter
share with LinkedIn
share with facebook

FortiGuard Labs Threat Research Report

Affected platforms: Microsoft Windows
Impacted parties: Windows Users
Impact: Collect Sensitive Information from Victim's Device.
Severity level: Critical

FortiGuard Labs captured a phishing campaign that was sending a Microsoft PowerPoint document as an email attachment to spread the new variant of the FormBook malware. FormBook is a well-known commercial malware, so dubbed because it has been sold 'as-a-service' on hacking forums since 2016. It is designed to steal personal information from victims' devices and manipulate their devices using control commands from a C2 server. FormBook, which has been detected in the wild for over five years, is designed to steal personal information through the use of keyloggers and form grabbers to collect victim input along with the data of some software, such as browsers, IM, Email clients, and FTP clients.

I recently conducted in-depth research on the latest campaign we captured, starting with the phishing email and the attached PowerPoint document that delivers the malware. This is the first part of that analysis. In it, I will demonstrate all my findings from the research, including but not limited to how the malicious VBA code is executed in the PowerPoint file; how the FormBook payload file is downloaded by the PowerPoint file; as well as how the FormBook main file (module) is finally extracted from a .Net module. In part II, I will look at what the FormBook malware does once loaded, and in particular, the new functions and features in this latest variant.

Phishing Email and PowerPoint Document

The phishing email used to deliver the FormBook malware looks like a reply to a request for a purchase order. Of course, this is simply a crafted fake message to the victim. Figure 1.1 shows the email content. It is designed to lead the victim to open the attached PowerPoint file to view the details of 'brochures and prices' in a video.

