Multiple Attack Vectors used to spread FormGrabber Malware
Target: Unpatched machines for two software vulnerabilities or victims of social engineering.
Attack Vector: Two buffer overflow exploits and social engineering.
Summary: FormGrabber is a piece of malware which, when present on a system, acts as a particularly effective piece of
spyware. Screenshots, keystrokes and login details are captured and sent back to a threat actor. More recently this has been observed to be exported through an attack, which can be considered distinctive as it employs the expanding trend of using multiple attack vectors to achieve its end goal.
Two vulnerabilities are exploited in this incident. The first is a historic buffer overflow vulnerability existing in Microsoft Equation Editor (CVE-2017-11882) and the second, a similar vulnerability in existence due to the patch for the former vulnerability not being fully effective (CVE-2018-0802). In addition, social engineering techniques are employed in an attempt to deliver the payload to the target machine. This is only triggered in a final effort to deliver the payload and will not be actioned if either of the initial attack vectors detailed are successful.
Risk assessment summary: This threat is assessed as 3e MODERATE. The flaw is not particularly easy to exploit as a threat actor would need to be skilled in compiling and executing remote .hta files. In addition, the attack leaves a note once in action that gives the victim an alert of the attack. This could limit the amount of time a threat actor has to snoop credentials and record keystrokes, lessening the risk. However, the fact there are three separate attack methods increases the likelihood of a successful exploit, particularly as it has been observed being exploited in the wild.