Formbook Being Exported Without Use of Macros
Target: Windows systems.
Attack Vector: Malicious email or IM and malicious links on websites.
Summary: A new, previously unseen, type of document attack is now possible and is in use to deliver the previously observed FormBook malware. The attack does not require the enablement of macros for the infection to be carried out. The attacks began in March and have been seen in the financial and information sectors of companies in the US and the Middle East. It is notable in its infection technique, which is compiled of multiple stages. This new method also includes techniques to render security solutions obsolete. Risk assessment summary: The threat is assessed as 3e MODERATE. This threat has been reported in the wild and could continue as it currently does not trigger on security products. However, this can be limited through the implementation of good security practices, particularly with regard to emails and IM communications. This has recently has become a high priority in companies, with compliance improving, lessening the likelihood. While the initial malware does not harm the target system directly, the downloading of FormBook does. The ability to steal data from a target system is an issue, as the data can be used to facilitate further attacks, or sold to criminal gangs. In addition, using the C2 server to execute code on the target machine brings further attack vectors, increasing the risk.