June 30, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
TI WooCommerce Wishlist Plugin Flaw Threatens 100K WordPress Sites
May 28, 2025Critical Firefox libvpx Flaw Allows Zero-Click Code Execution
May 28, 2025TI WooCommerce Wishlist Plugin Flaw Threatens 100K WordPress Sites
May 28, 2025Critical Firefox libvpx Flaw Allows Zero-Click Code Execution
May 28, 2025
Severity
High
Analysis Summary
A newly discovered and sophisticated variant of the FormBook malware has emerged, offering cybercriminals complete remote control over Windows systems through a highly evasive, multi-stage attack chain.
Discovered in a report published on May 27, 2025, this advanced strain of the information-stealing malware exploits CVE-2017-11882 in Microsoft Office’s Equation Editor via phishing emails containing malicious Word documents. Upon successful exploitation, the malware downloads and decrypts a disguised FormBook payload, cleverly masquerading as a PNG file to bypass detection mechanisms.
The malware’s execution begins with process hollowing into the "ImagingDevices.exe" process, followed by injection into randomly selected child processes of "explorer.exe." It attempts execution across a list of twelve encrypted process names, such as "PATHPING.EXE," "fontview.exe," and "MuiUnattend.exe," all located in the “C:\Windows\SysWOW64” folder. The use of Heaven’s Gate allows it to run 64-bit code from a 32-bit process on x64 systems, switching code segments using low-level instructions like “jmp far 0x33:{address}.” The malware also duplicates ntdll.dll in memory and uses this copy for API calls, complicating reverse engineering.
To resist analysis, the malware incorporates a wide range of anti-analysis tactics. It encrypts over 100 crucial functions, decrypting them only at runtime and re-encrypting them immediately after use. It checks for virtualized environments using blacklisted process names (e.g., "vmwareuser.exe," "sandboxiedcomlaunch.exe," "procmon.exe") and inspects usernames and file paths for sandbox indicators such as “\cuckoo” or “\sandbox.” These measures are specifically designed to thwart both automated and manual malware analysis efforts, showcasing the malware’s high level of operational stealth.
Once the payload is active, FormBook engages in aggressive data harvesting, targeting credentials stored in browsers like Chrome, Firefox, Edge, and Internet Explorer using SQL queries on local SQLite databases. The malware communicates with 64 C2 servers that use a complex obfuscation scheme, being encrypted, Base64-encoded, and then encrypted again.
Through these C2 channels, attackers can issue nine remote commands, enabling operations like file execution, system updates, and full shutdowns. While Researcher confirms protection for its clients, organizations are urged to enforce robust endpoint security, patch legacy vulnerabilities, and remain vigilant against this continually evolving threat.
Impact
- Sensitive Data Theft
- Security Bypass
- Gain Access
Indicators of Compromise
CVE
- CVE-2017-11882
URL
- http://www.promutuus.xyz/bpae/
- http://www.218735.bid/3f5o/
- http://www.vivamente.shop/xr41/
- http://www.hugeblockchain.xyz/1dpy/
- http://www.seasay.xyz/xwy3/
- http://www.tumbetgirislinki.fit/i8hk/
- http://www.ef4refef.sbs/f88b/
- http://www.aicycling.pro/4m7q/
- http://www.autonomousrich.xyz/iej0/
- http://www.dangky88kfree.online/11lg/
- http://www.arryongro-nambe.live/h108/
- http://www.dqvcbn.info/iby8/
- http://www.svapo-discount.net/s956/
- http://www.yueolt.shop/je6k/
- http://www.sigaque.today/u2nq/
- http://www.leveledge.sbs/asbs/
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Immediately apply security updates for Microsoft Office, especially addressing CVE-2017-11882, to prevent exploitation via Equation Editor.
- Block phishing emails with malicious attachments using secure email gateways and sandboxing for Office documents.
- Use modern EDR solutions to detect suspicious behaviors like process hollowing, Heaven’s Gate usage, and DLL injection.
- Restrict execution of unapproved processes, especially in C:\Windows\SysWOW64, where FormBook injects itself into obscure processes.
- Leverage services like FortiGuard’s Anti-Botnet, IPS, and Web Filtering to block access to known C2 domains and prevent data exfiltration.
- Inspect for abnormal outbound connections and Base64/encrypted traffic, which may indicate communication with C2 servers.
- Perform dynamic analysis of dropped files in non-virtualized test environments, since FormBook evades detection in sandboxes.
- Track unexpected execution of lesser-used Windows binaries such as fontview.exe, MuiUnattend.exe, and PATHPING.EXE.
- Conduct regular training to help users identify malicious attachments and social engineering tactics used in phishing emails.
- Limit user privileges to reduce the impact if malware gains initial access.
- Enable protections such as ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) on endpoints.
- Maintain offline and encrypted backups of critical systems to ensure recovery in case of malware infection or system compromise.