Researchers have found new campaigns distributing Formbook malware in the wild with evasive techniques. While Microsoft has fixed the vulnerability triggering this attack, threat actors continue to hunt unpatched devices.
Formbook Malware Continues To Haunt Windows Users
According to the latest report from Sophos Labs, the threat actors behind the Formbook malware are running active campaigns again.
Formbook is a known Windows malware with potent data-stealing capabilities. Upon reaching the target device, the malware extracts sensitive data such as users’ credentials, takes screengrabs silently, logs keystrokes to pilfer information.
This malware has been around since at least 2017. However, it recently resurfaced online when running COVID-19-themed phishing campaigns.
As elaborated in their post, the researchers found the latest malware campaigns exploiting the Microsoft MSHTML remote code execution vulnerability (CVE-2021-40444). The threat actors began exploiting this bug almost a week before Microsoft eventually released its fix with September Patch Tuesday updates.
At that time, Microsoft didn’t elaborate on the matter, but it did confirm active exploitation of the flaw that merely required an adversary to trick the target user into opening maliciously crafted documents to deliver malware. Nonetheless, the patch effectively addressed the matter.
However, Sophos Labs has discovered that the threat actors continue to exploit this vulnerability on unpatched systems. In recent campaigns, they have embedded the malicious document into a RAR archive.
Whereas, spreading this malware goes on via the most common attack vector – phishing emails.
Once the recipient of a phishing email opens the malicious archive, the malware downloads and executes on the target device.
However, the systems updated with September patches remain unaffected by this attack.
Therefore, all Windows users, particularly those who haven’t updated their systems yet, must quickly update now. Ideally, users should update their systems with the latest December updates. Nonetheless, updating devices to the September Patch Tuesday (at least) is inevitable to avoid Formbook malware attacks.