FormBook Exploits Office 365 Zero Day

A new malware campaign has been discovered using a new version of the Formbook malware. The recent variant, identified exploits a recently discovered zero-day vulnerability in Office 365, CVE-2011-40444

Formbook developers have re-written their original exploit and used the initial codebase to deploy Cobalt Strike beacons. It uses different ‘Target’ format inside the document[.]xml[.]rels. This new format is meant to bypass detections with the use of Target options.

The vulnerability can be exploited even if the URL is jumbled up using directory traversal paths and empty options for Target. After exploit, Word sends a request to server as the network capture.

An additional obfuscation mechanism for the exploit code to provide additional protection has been added. It has added two calls to a function for anti-debugging behavior to prevent reverse engineering.

The campaign uses an email laden with a malicious Word document attachment as an initial attack vector. Two layers of PowerShell scripts are used to deploy the FormBook malware. 

The first stage downloads the second one, which is saved as an attachment hosted on Discord. This is possibly done to bypass network protection. The next stage is downloaded from Discord . This downloaded attachment is the second PowerShell layer .The final version deployed in the recent campaign is similar to that used in earlier campaigns as well. The version is identified as FormBook version 4.1.

Zero-day flaws are already popular among threat actors and abusing those usually has severe consequences. Experts suggest following a proper patch management program and using reliable anti-malware solutions.