FormBook itself is a highly effective data thief, capable of extracting stored credentials from popular software, logging keystrokes, capturing screenshots, and collecting clipboard data. This extensive data harvesting gives attackers full access to the victim's digital footprint and can lead to significant breaches of privacy and security. The use of Microsoft Office documents as an attack vector is part of a broader trend, with multiple campaigns identified over recent years, such as the use of Word’s subDoc feature to extract NTLM hashes and a newer malware variant named “CarnavalHeist” targeting Brazilian users through Portuguese-language phishing lures.

To stay protected, users are advised to remain vigilant against unexpected email attachments, especially Word documents, and to ensure all software is up-to-date with the latest security patches. Employing a multi-layered security strategy, including anti-spam, web filtering, intrusion prevention, and antivirus, can significantly reduce the risk of compromise. Researcher assures that its customers benefit from these protections, which can detect both the malicious documents and the embedded FormBook payload.

Impact

• Sensitive Information Theft
• Code Execution
• Unauthorize Access

Indicators of Compromise

CVE

Domain Name

• www2.0zz0.com

MD5

• 23d94285fbcaa4d17bbedf04fd6f77fe

• 19ac38b2e44d149859664387297f21c3

• 0dbbaea650ca1dc68afb29e4eaaeb650

• c42a8bb2ee2e069d8ad7562090112f44

SHA-256

• 93cf566c0997d5dcd1129384420e4ce59764bd86fdabaaa8b74caf5318ba9184

• 7c66e3156bbe88ec56294cd2ca15416dd2b18432deedc024116ea8fbb226d23b

• 2e73b32d2180fd06f5142f68e741da1cff1c5e96387cebd489ad78de18840a56

• 6ac778712dffce48b51850ac34a846da357be07328b00d0b629ec9b2f1c37ece

SHA1

• e331eb48551c1bc220782e072be72308b99157da

• 4b8dd163f27e2e404009bcf7a286ca06c7b4fed7

• caf3008711fdde546f292e2a439472f3dd36e372

• 1fb2c7fa6cea60979a7aea194924445bf2c77925

URL

• https://www2.0zz0.com/2025/02/02/10/709869215.png

Affected Vendors

• Microsoft

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly apply security patches to Microsoft Office and Windows systems, especially to address known vulnerabilities like CVE-2017-11882.
• Avoid opening unexpected or suspicious email attachments, particularly Microsoft Word documents from unknown sources.
• Use a combination of anti-spam, web filtering, intrusion prevention systems (IPS), and antivirus software to detect and block malicious files.
• Use endpoint detection and response (EDR) tools to monitor unusual behaviors like process hollowing or DLL injection.
• If not required, disable or remove the Microsoft Equation Editor to reduce the attack surface.
• Perform vulnerability scans and threat assessments to identify and remediate potential security gaps.
• Use email gateways with sandboxing capabilities to analyze attachments before they reach users’ inboxes.
• Conduct training to help employees recognize phishing attempts and social engineering tactics.
• Restrict user permissions to limit the impact of malware if a system is compromised.
• Keep detailed logs of system activity and monitor for signs of exploitation or data exfiltration.