Trend Micro Incorporated : FormBook Adds Latest Office 365 0-Day Vulnerability (CVE-2021-40444) to Its Arsenal

Trend Micro detected a new campaign using a recent version of the known FormBook malware, an infostealer that has been around since 2016. Several analyses have been written about FormBook in the last few years, including the expanded support for macOS. FormBook is famous for highly obfuscated payloads and the use of document CVE exploitation. Until recently, FormBook mostly exploitedCVE- 2017-0199, but newer FormBook variants used the recentOffice365 zero-day vulnerability,CVE-2021-40444.

Exploit description

FormBook authors did some rewrites on the original exploit, taking as their initial codebasethe one that weandMicrosoft observedas deploying Cobalt Strike beacons. The exploited vulnerability is CVE-2021-40444. However, since the vulnerability itself has beenanalyzed already, here we focus on describing some of the unique changes made by FormBook.

FormBook utilizes a different "Target" format inside "document.xml.rels." Figure 1 shows the new format on the right side. This is possible because the options "mhtml" and "!x-usc" are not required to exploit the vulnerability. The new format is intended to bypass detections using the mentioned "Target" options as indicators of exploitation.

Figure 1. The "Target" URL format: The previous samples are on the left, while those used by FormBook are on the right.

Even when the URL is scrambled using directory traversal paths and empty options for Target (the consecutive "!:" are empty options), the vulnerability is exploited, and Word will send a request to the server as the network capture. This is shown by the selected packet in Figure 2.

Figure 2. Network capture of a FormBook document sample

One of the changes introduced to the exploit by FormBook was an obfuscation mechanism. Figure 3 shows an obfuscated section of the FormBook exploit.

Figure 3. FormBook exploit obfuscation

As previously mentioned, FormBook creators did some rewrites on the original exploit, which was based on the code disclosed by us and Microsoft. FormBook added two calls to a function implementing an anti-debugging behavior commonly used to protect JavaScript code from being reverse-engineered. Figure 4 displays the mentioned function.

Figure 4. FormBook exploit JavaScript anti debugging

When the developer tools of a browser are open, the execution of thef()function will open a new virtual machine (VM) window that contains an anonymous function with adebuggerstatement. This will shift the focus from the source code window to the new VM window containing the anonymous function. Stepping through the JavaScript code will continuously execute the anonymous function. This prevents the debugging of the JavaScript code because stepping through the JavaScript code executes thedebuggerstatement in a loop.

Attack chain description

Based on our analysis, the campaign used an email with a malicious Word document attachment as the entry vector. In this attack, two layers of PowerShell scripts were used to deliver the known FormBook malware. This version of FormBook is the same as previous versions; however, some specific changes were introduced in the attack chain. The final FormBook malware delivered in this campaign matched the ones that were used in earlier campaigns and analyzed by other researchers. That sample also corresponds to FormBook version 4.1, which we found after decrypting the command-and-control (C&C) channel information. This can be seen in Figure 5.

Figure 5. FormBook decrypted beacon

For this specific campaign, the attack chain is depicted in Figure 6.

Figure 6. Simplified attack chain diagram

Figure 6 shows how FormBook implemented two PowerShell script stages. The first stage downloads the second one, which is stored as an attachment hosted on Discord. We have recently noticed an increase in the malicious use of files uploaded to this service, with the intent of bypassing network protection.

Figure 7 shows an example of the PowerShell script in the first stage:

Figure 7. PowerShell stage one

The example in Figure 6 downloads the next stage from Discord (with the URL itself being obfuscated). The URL is in the following format:

hxxps://cdn[.]discordapp[.]com/attachments/889336010087989260/889336402121199686/avatar.jpg

The attachment from Discord is the second PowerShell layer formatted in Base64. This layer contains all required samples to run the FormBook malware.

Figure 8 shows an example of the second PowerShell layer.

Figure 8. PowerShell second stage.

As Figure 8 shows, the value of the variable "$decompressedByteArray" has the ".NET" injector, and the value of the variable "$INICAYLA" has the FormBook malware itself. In this campaign, the method of injecting the malware into the Calculator process is different from previous analyses, but this is because the result of the obfuscation was applied over the ".NET" injector.

The samples of the FormBook malware we obtained are identical to previous incidents, so we do not discuss them here.

Conclusions

Over the last couple of years, we have seen an increase in the use of public services to host malware. Nowadays, there are infinite ways to establish a malware infrastructure simply by using public services. There are multiple benefits for the attackers when using public services:

• Extra service rentals and maintenance are not required.
• The URLs look like normal URLs to any scanning device or software.
• In some cases, it is possible to generate practically "random" URLs.
• There is encrypted traffic (HTTPS) by default.
• Automatic resources (such as samples and files) can access protection.

At the same time, we have seen an increase in the quality of tools for the automatic generation of obfuscated samples implemented in different and available malware as a service (MaaS).

The combination of those two factors makes the attacker very resilient to detection in the initial delivery days of reusing previously discovered zero-day vulnerabilities, as in this case. This incident also highlights the importance of patching zero-day vulnerabilities urgently. Notably, Microsoft already released a fix for this vulnerability as part of theSeptember 2021 Patch Tuesday cycle.

For increased protection,Trend Micro Vision One™spots suspicious behaviors that might seem insignificant when observed from only a single layer. Meanwhile,Trend Micro Apex One™protects endpoint devices through automated threat detection and response against ransomware, fileless threats, and other advanced concerns.

Indicators of Compromise

Filename/Description	Hash	Trend Micro Detection Name
Exploit Html	bb1e9ce455898d6b4d31b2219ff4a5ca9908f7ea0d8046acf846bf839bce1e56	Trojan.HTML.CVE202140444.B
payload.cab	a20abef4eecea05b3f3ab64e9f448159e683cf82f1e87a37372c1cacb976052c	Trojan.Win32.CVE202140444.B
avatar.ps1	6f11be4822381543eb9dd99a9354575c96a50a5720ee38ee1c1b2ad323a03f04	Trojan.PS1.POWLOAD.TIAOELH
payload_TNICAYLA.exe_	f7c5f885f712adb553ee0de0d935869cc9c5627c01b15a614d748acb72b11c74	Trojan.Win32.FORMBOOK.PUSXYV
injector_ncrypt_decompressedByteArray.exe_	eab5dc8f37459f2f329afa63b1f8e8569ad229dc88497ab86e7c6a91be4d9264