MalwareBytes research team found a targeted email campaign carrying two attachments, a pdf file and an excel file.
The email pretends to come from Saudi Aramco, a Saudi Arabian public petroleum and natural gas company, and one of the largest companies in the world by revenue.
Aramco went public in December 2019 with an initial public offering of $29.4 billion. This was the largest ever IPO and made Aramco the largest publicly traded company, before being overtaken by Apple in 2020.
The email urges the recipients to respond to an offer which of course, is fake. The attackers have inserted an embedded object in the Excel file which downloads a remote template that exploits a vulnerability to download and execute the FormBook malware.
The vulnerability CVE-2017-11882 is quite old and has a public exploit available.
The FormBook Malware
FormBook is a well-known commercial malware, so dubbed because it has been sold “as-a-service” on hacking forums since 2016. It is designed to steal personal information from victims’ devices and manipulate their devices using control commands from a C2 server.
FormBook, which has been detected in the wild for over five years, is designed to steal personal information through the use of keyloggers and form grabbers to collect victim input along with the data of some software, such as browsers, IM, Email clients, and FTP clients.
The CVE-2017-11882 vulnerability exists in:
- Microsoft Office 2007 Service Pack 3
- Microsoft Office 2010 Service Pack 2
- Microsoft Office 2013 Service Pack 1
- Microsoft Office 2016
It allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory. If the current user is logged on with administrative user rights, this means an attacker could take control of the affected system.