Our Threat Intelligence team has been closely monitoring cyber threats related to the war in Ukraine. Today, we discovered a malicious spam campaign dropping the Formbook stealer specifically targeting Ukrainians.
Formbook is part of a long-running malspam operation that we observe on a regular basis. This time, the email lure is written in Ukrainian and tricks victims into opening an alleged letter of approval to receive funds from the government.
The email can be translated as:
Dear citizens, we inform you that you are not alone in this difficult time, we in the authorities are doing everything possible to protect our citizens. All citizens receive support from the Federal Government in the amount of 15,000, we want to say that you must protect each other, this is a difficult time for everyone, together with God we will fight this difficult time. Your letter of approval is added Sincerely.
Upon opening the file called лист підтримки.xlsx (support letter.xlsx), an exploit for CVE-2017-11882 will attempt to compromise the machine in order to download the Formbook payload from a remote server.
This is not the first — and certainly won’t be the last — time we see threat actors taking advantage of crises. As heartless as it looks, we realize that malware and criminal operations are always ongoing.
Malwarebytes customers were protected from this attack thanks to our Anti-Exploit protection layer.
Indicators of Compromise
лист схвалення касового забезпечення – міністр