Microsoft Office 365 Users are Exploited by a New Malware Variant

At a Glance

Researchers from Ironscales and Sandbox reported that Microsoft Office 365 users are being exploited by a new malware variant delivered via phishing emails. The researchers discovered the new malware variant on November 29, 2018.

Background

According to Ironscales and Sandbox report, the new malware is the variant of ‘Formbook’ which is a ‘ready-to-sell malware’ used by cyber-criminals who lack skill in malware.

How does Formbook work?

Formbook is delivered through a self-extracting RAR file which upon launching starts an Autolt loader and runs an Autolt script. This Autolt script decrypts the FormBook malware file, loads it and then executes the payload file.

It’s easy-to-use feature, open availability and economical pricing makes ‘Formbook Malware’ an attractive option among cyber-criminals.

More about the malware

• The cyber-criminals are using a malicious RTF text file to infect machines and attempt users in downloading an exe file.
• The malicious file appears to be a legitimate .PNG file where the EXE file remains hidden. (For eg, the URL, https[:]//f[.]coka[.]la/2RTMHs[.]png is an EXE file hidden under a .PNG file.)
• The malicious content being hidden, will easily bypass regular proxy servers.
• The malware is written in C and x86 assembly language. It relies on advanced methods for stealing an executing thread of the ‘explorer.exe’ in order to execute their own code.

The Ironscales and Sandbox researchers reported that the malware is undetectable by antivirus due to advanced techniques used by the cyber-criminals. The researchers have not been able to find out a geographic pattern.

The researchers further added that Microsoft might have lost the source code to patch the EQNEDT32.EXE process, making it unable to patch against the malware attack.