Recently, the Malwarebytes Threat Intelligence Team found a Formbook campaign targeting oil and gas companies. The campaign they discovered was delivered by a targeted email that contained two attachments, one is a pdf file and the other an Excel document.
The Formbook malware is an information stealer that is in use by many threat actors. Formbook has been around since 2016 and is readily available on dark web market places.
The email pretends to be from Saudi Aramco, a Saudi Arabian public petroleum and natural gas company, and one of the largest companies in the world by revenue. The email asks the receiver to provide an offer for refinery renovations that requires a swift response.
Dear Sir, Warm Greetings From Saudi Aramco. We request you to furnish your best, complete, exclusive and competitive techno-commercial offer to our esteemed company for the supply of below mentioned item(s) on or before 10-March-2022. Your offer should conform to all the specifications (FIT, FORM and FUNCTION) mentioned in our requisition including the following information: 1. Manufacturer's Name and Country of Origin. 2. Latest Delivery Date and Shipment Terms. 3. Estimated Weight / Volume or Dimensions of the quoted item(s) / Final Package. 4. Cost of attestation of documents from chamber of commerce shall be borne by the Supplier. 5. Warranty Period. 6. Product Specifications / Data Sheet, Drawings, and Catalog (if available) 7. Payment Terms 8. Partial Order acceptable or not acceptable. 9. Offer Validity: 90 Days. END USER: SEC (Saudi Arabian Oil Company) End Destination : Saudi Arabia If you need any more information, please don't hesitate to contact us. Please acknowledge the email along with the attachment (download below) and confirm your willingness to quote Best regards,
The attached pdf file contained an embedded Excel object. The embedded object downloaded a remote template that exploits CVE-2017-11882 to download and execute the FormBook malware. This vulnerability exists in Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 and allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory. If the current user is logged on with administrative user rights, this means an attacker could take control of the affected system.
The attached Excel document has the same functionality as the embedded excel object in the pdf file.
IoCs for this campaign
Malwarebytes users were protected against this campaign, because the Malwarebytes Anti-Exploit module blocked the execution of the malware.
Stay safe, everyone!