Formbook is an information stealer acting as a form grabber which harvests credentials, passwords, banking details, key strokes and network requests, by intercepting web browser and other clients such as email and IM. Formbook is used in a recent campaign embedded in a malicious Microsoft Excel document which is sent to targets via emails as part of a phishing attack. Attached below is a screenshot of the Excel sheet.
Macros are disabled by default and users are prompted to ‘Enable Content’ upon opening the document.
When “Enable Content” button is clicked within Microsoft Excel, a malicious macro executes a PowerShell script which runs in the background as a child process to wmiprvse.exe. The script uses a bitwise XOR to decode and convert the obfuscated payload. It then makes an external request to an infected WordPress site, and downloads a further payload from hxxp://insumoscerveceros.com.co/wp-admin/network/Purchase.exe.
IP(s) / Hostname(s)
Malware Hash (MD5/SHA1/SH256)