Our Threat Intelligence team has been closely monitoring cyber threats related to the war in Ukraine. Today, we discovered a malicious spam campaign dropping the Formbook stealer specifically targeting Ukrainians.

Formbook is part of a long-running malspam operation that we observe on a regular basis. This time, the email lure is written in Ukrainian and tricks victims into opening an alleged letter of approval to receive funds from the government.

The email can be translated as:

Dear citizens, we inform you that you are not alone in this difficult time, we in the authorities are doing everything possible to protect our citizens.
 
All citizens receive support from the Federal Government in the amount of 15,000, we want to say that you must protect each other, this is a difficult time for everyone, together with God we will fight this difficult time.
 
Your letter of approval is added
 
Sincerely.

Upon opening the file called лист підтримки.xlsx (support letter.xlsx), an exploit for CVE-2017-11882 will attempt to compromise the machine in order to download the Formbook payload from a remote server.

This is not the first — and certainly won’t be the last — time we see threat actors taking advantage of crises. As heartless as it looks, we realize that malware and criminal operations are always ongoing.

Malwarebytes customers were protected from this attack thanks to our Anti-Exploit protection layer.

Indicators of Compromise

Email subject

лист схвалення касового забезпечення – міністр

Formbook maldoc

лист підтримки.xlsx
7d39e6ca46c053c1ad744de1ca8867217596bb17bb673785eb8827b00c5ae05b

Formbook URL

103.167.92[.]57/xx_cloudprotect/vbc.exe

Formbook payload

b5f79bb30d60794b7edbf486fa96a11c1ac3ba34592a496379020e8379f281be