Emerging Phishing Campaigns Target Organizations with Stealthy Techniques to Deliver Formbook Malware
In a troubling development within the realm of cybersecurity, two distinct phishing campaigns have recently been identified, each employing unique and stealthy infection techniques aimed at infiltrating Microsoft’s Windows operating systems. This dual-pronged attack targets organizations across various industries, with the primary aim of deploying Formbook—a notorious infostealer malware that has been part of malware-as-a-service schemes since its emergence in 2016.
Formbook is crafted to gather sensitive data including login credentials, browser info, and screenshots. What makes Formbook particularly concerning is its sophisticated evasion techniques, designed to bypass detection by traditional security measures. A decade after its introduction, Formbook continues to pose a significant cyber threat to various sectors, showing no signs of waning.
Cybersecurity researchers at WatchGuard have meticulously documented at least two new campaigns involving Formbook malware. A blog post published on April 20 indicates that these campaigns have targeted businesses in several countries, notably Greece, Spain, Slovenia, Bosnia, Croatia, and numerous nations in South America. The phishing efforts in these campaigns have been cleverly disguised as routine business communications, making them particularly insidious.
According to WatchGuard, "What makes these campaigns especially noteworthy is not just the malware itself, but the diversity of methods used to evade detection and abuse legitimate software and trusted system processes.” This observation highlights the increasing sophistication of cybersecurity threats that organizations face today.
Methodologies: DLL Sideloading and Obfuscated JavaScript
Both Formbook campaigns commence with phishing emails, yet they employ markedly different strategies to conceal and deliver the malicious payload. The first technique involves dynamic-link library (DLL) sideloading, while the second relies on obfuscated JavaScript.
In the first campaign, the phishing email contains a compressed RAR file housing four components: three dynamic-link libraries (DLLs) and one Windows executable (.EXE) file. By implementing DLL sideloading, attackers manipulate a legitimate application into loading a malicious DLL instead of its intended counterpart. This method allows the attackers to execute harmful code while remaining undetected by the system’s security protocols.
Conversely, the second campaign employs a distinct tactic for its malware delivery. Similar to the first, it begins with a phishing email, but in this case, the malicious payload is concealed within JavaScript and PDF files. The JavaScript is packed with obfuscated code, designed specifically to evade detection mechanisms.
Upon execution, the JavaScript within the email generates two image files, which subsequently execute PowerShell commands embedded in obscured strings of code. These commands facilitate the launch of a Windows executable that activates a custom malware loader. This approach reinforces the threat that Formbook poses, as previous iterations of malware distributed through this loader have included other well-known names such as Remcos RAT, XWorm, AsyncRAT, and SmokeLoader.
The Call for Proactive Measures
In light of these developments, cybersecurity experts at WatchGuard advocate for organizations to remain vigilant. They emphasize the importance of monitoring for suspicious archive-based email attachments, enigmatic DLL loading behaviors, and PowerShell executions triggered by user-initiated attachments. Furthermore, organizations should keep an eye out for signs of manual DLL mapping or direct syscall activity occurring in memory.
"By correlating these behaviors across the attack chain, organizations can enhance their capability to detect and prevent FormBook infections before sensitive data is compromised,” the cybersecurity firm remarked. This proactive approach will be crucial as organizations strive to shield themselves from ever-evolving cyber threats.
The emergence of these campaigns underscores the necessity for robust cybersecurity protocols and continuously updated training for employees. As attackers refine their techniques, organizations must adapt accordingly, incorporating advanced detection methods and fostering a culture of security awareness.
In conclusion, the persistence of Formbook as a formidable cybersecurity threat, coupled with the innovative tactics employed in recent phishing campaigns, highlights the pressing need for organizations to bolster their defenses against ever-evolving cyber threats. By embracing vigilance and monitoring for suspicious activities, companies can mitigate risks and better protect sensitive information in today’s digital landscape.