{"id":6231,"date":"2021-04-16T12:59:05","date_gmt":"2021-04-16T19:59:05","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6231"},"modified":"2024-04-26T13:20:46","modified_gmt":"2024-04-26T20:20:46","slug":"spoofed-vehicle-purchase-invoice-malspam-drops-formbook-infostealer","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/spoofed-vehicle-purchase-invoice-malspam-drops-formbook-infostealer\/","title":{"rendered":"Spoofed Vehicle Purchase Invoice Malspam Drops Formbook Infostealer"},"content":{"rendered":"

Author: Victor Sandin<\/strong><\/h3>\n

TLP: WHITE<\/strong><\/h3>\n

 <\/p>\n

Overview<\/h3>\n

On 12 April, Infoblox observed a malicious email campaign distributing Formbook malware via Microsoft Office documents containing malicious macros. Emails in this campaign lure victims into opening a spoofed purchase invoice from Hyundai, and into enabling macros to access the document\u2019s content.<\/p>\n

Infoblox has reported on Formbook campaigns several times in the past;1<\/sup>,<\/sup>2<\/sup>,<\/sup>3<\/sup> they have had common patterns of financial-themed lures and other urgent topics such as the Coronavirus.<\/p>\n

Customer Impact<\/h3>\n

Formbook is a well-known infostealer and form grabber malware that is sold as malware-as-a-service4<\/sup> (MaaS) in underground forums. Its capabilities include evasion techniques such as process hollowing, webform hijacking, keylogging and clipboard monitoring, as well as communication with a command and control (C&C) server.<\/p>\n

Campaign Analysis<\/h3>\n

In this campaign, victims received an email urging them to open the attached purchase invoice with the subject line PI Payment<\/em>. The file attachment was a Microsoft Excel spreadsheet (XLS) containing a malicious macro that connects to threat actors C&C servers and downloads Formbook malware.<\/p>\n

Attack Chain<\/h3>\n

When the victim opens the document and enables macros, the embedded code downloads a portable executable (PE) and writes it to C:\\Users\\Public\\vbc.exe.<\/p>\n

Next, the macro runs the executable, which spawns a new Explorer process and injects Formbook code into it using a technique known as process hollowing.<\/p>\n

Finally, the malware connects to its C&C server to receive additional instructions.<\/p>\n

Vulnerabilities & Mitigation<\/h3>\n

Infoblox recommends the following to reduce and mitigate the risk of this type of infections:<\/p>\n