Cybersecurity researchers have identified a new phishing campaign distributing the notorious Formbook malware. This sophisticated attack leverages weaponized ZIP files and a multi-stage scripting process to circumvent standard security measures, making it particularly challenging to detect. The Formbook malware is known for its ability to steal credentials and sensitive information from infected systems.
The campaign, detailed by researchers at the Internet Storm Center, begins with deceptively simple phishing emails. These emails contain attached ZIP archives that, upon extraction, reveal VBScript files masquerading as legitimate business documents, such as payment confirmations. When executed, these scripts initiate a complex chain reaction designed to download and install the Formbook payload onto a victim’s computer, highlighting the evolving tactics of cybercriminals in distributing potent malware.
Multi-Stage Infection Mechanism Evolves Formbook Delivery
The effectiveness of this new Formbook malware distribution method lies in its intricate, multi-stage infection mechanism. According to the Internet Storm Center’s findings, only a mere 17 out of 65 antivirus programs were able to detect the initial VBScript file, underscoring the advanced obfuscation techniques employed by the attackers. These methods are intentionally designed to evade immediate detection by security tools and to complicate forensic analysis for security professionals.
The infection chain begins with the VBScript file, often named to appear as a functional document such as “Payment_confirmation_copy_30K__20251211093749.vbs”. Once activated, this script employs several evasion tactics. A crucial element involves a built-in delay mechanism, forcing the script to wait for nine seconds before executing any malicious actions. This delay is a common, yet effective, technique to bypass the automated sandboxing environments that many security solutions use for initial threat analysis, as these systems often flag immediate suspicious activity.
Following the delay, the VBScript proceeds to construct a PowerShell command. This construction is achieved by concatenating numerous small text fragments, a method designed to obscure the presence of the word “PowerShell” itself. The attackers further ingeniously hide the keyword by employing numerical encoding rather than plain text. Once assembled, this hidden PowerShell script is executed surreptitiously using a Shell.Application object, an approach that can leverage legitimate system functionalities for malicious ends.
The PowerShell script then takes on the role of downloading a secondary payload. This payload is reportedly hosted on Google Drive, a common platform for file sharing that attackers often abuse for malware distribution. The script saves this downloaded file to the user’s AppData folder, a location frequently used by malware for persistence and execution. The final stage of the infection involves launching msiexec.exe, the Windows Installer executable, and injecting the Formbook malware directly into this legitimate process. This injection technique allows the malware to operate with the privileges of the installer, further aiding its stealth and operational capabilities.
Once successfully installed, the Formbook malware establishes a connection to its command and control (C2) server. This server is located at the IP address 216.250.252.227 and communicates over port 7719. Through this channel, the malware awaits and receives further instructions from its operators, which can include tasks like data exfiltration, keylogging, or downloading additional malicious modules to expand its functionality.
The persistent evolution of Formbook malware, particularly its delivery methods, represents an ongoing challenge for cybersecurity defenses. The reliance on multiple scripting languages, obfuscation techniques, and the abuse of legitimate cloud storage and system processes demonstrate a sophisticated and adaptive threat landscape. Organizations and individuals alike must remain vigilant, ensuring that security software is up-to-date and that users are educated about the risks associated with opening unsolicited attachments from unknown or suspicious sources.
Moving forward, cybersecurity analysts will continue to monitor this campaign for any shifts in attack vectors or payload functionality. The detection rate of the initial VBScript remains a critical area of focus, as improved detection at this early stage could significantly disrupt the malware’s propagation. The ongoing cat-and-mouse game between malware creators and security researchers suggests that future iterations of Formbook and similar threats will likely incorporate even more advanced evasion tactics, demanding continuous innovation in threat intelligence and defense strategies.