Threat Overview
A recent phishing campaign has been observed delivering Formbook stealers through email attachments, as reported by AlienVault on January 7th, 2025. This report provides an analysis of the attack and recommendations for mitigation.
The malware employs multiple stages and steganography to hide malicious files inside images. The infection chain involves three stages before the final payload: Purchase Order.exe, Arthur.dll, and Montero.dll.
Attack Details
The attack begins with a spear-phishing email containing a purchase order and a zip file attachment. Once executed, the malware uses various evasion techniques such as process hollowing, mutex creation, adding itself to exclusion paths, creating scheduled tasks for persistence, downloading additional payloads, or receiving commands from the threat actor’s C2 server.
The final payload is a highly obfuscated 32-bit MASM compiled binary.
Threat Actor Group
The short description of the actor group behind this campaign is not provided in the report.
Threat Level and Reliability
The confidence level for this threat is rated as 100, and the reliability of the report is verified. The revoke status is false.
Recommendations
Based on the threat report, several recommendations can be made:
* Educate users to Spot Phishing Emails: Train employees to recognize phishing emails and avoid opening suspicious attachments.
* Implement Email Filtering Solutions: Use advanced email filtering techniques to block malicious emails before they reach user inboxes.
* Keep Systems Updated: Regularly update software packages to protect against known vulnerabilities exploited by malware.
* Monitor for Suspicious Activity: Use threat intelligence platforms and security monitoring tools to detect anomalies and potential infections in your network.
Connected Elements\
There are 30 connected elements present in the report.
External References
Additional information about this campaign can be found at:
* Seqrite Blog: https://www.seqrite.com/blog/formbook-phishing-campaign-analysis/
