Ddos 
Workflow diagram of this FormBook campaign | Image: FortiGuard Labs
A new phishing campaign distributing the FormBook infostealer malware has been uncovered by Fortinet’s FortiGuard Labs, targeting Windows users through deceptive emails and weaponized Word documents. The attackers combine social engineering with a legacy Microsoft vulnerability (CVE-2017-11882) and advanced evasion techniques to deliver a fileless variant of FormBook, one of the most persistent info-stealers in the wild.
The attack chain begins with a phishing email disguised as a sales order. According to Fortinet, the email urges recipients to open an attached Word document labeled as order0087.docx.
“The phishing campaign starts with an email disguised as a sales order urging the recipient to open the attached Word document,” the report notes.
Once opened, the document exploits the altChunk feature to automatically load an embedded RTF file named Algeria.rtf, kicking off the malicious sequence.
The Algeria.rtf file is heavily obfuscated but carries within it a payload that leverages CVE-2017-11882, a remote code execution flaw in Microsoft Equation Editor 3.0.
“This exploits the CVE-2017-11882 vulnerability,” the researcher writes, “causing a buffer overflow and ultimately executing the command CmD.exe /C rundll32 %tmp%\AdobeID.pdf,IEX A.”
The attack results in the execution of a 64-bit DLL named AdobeID.pdf, extracted to the temporary folder and executed via rundll32.exe.
The AdobeID.pdf DLL is no mere dropper—it’s a multi-function component that establishes persistence, downloads the actual FormBook payload, and executes it entirely in memory.
Persistence is achieved via a registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RtkAudUService. The payload is fetched from a disguised PNG file: hxxps://www2[.]0zz0[.]com/2025/02/02/10/709869215.png.
Though it bears the .png extension, Fortinet confirms the file is encrypted. “The malware then calls a function to decrypt the PNG file into the FormBook executable binary,” the report details, using a hardcoded string (H1OX2WsqMLPKvGkQ) as the decryption key.
Once decrypted, FormBook is injected into a legitimate Windows process—ImagingDevices.exe—using process hollowing. This technique allows the malware to remain undetected by traditional antivirus tools, as no malicious files are ever written to disk.
The malware creates a suspended instance of the target process, replaces its memory with the FormBook payload using NtMapViewOfSection(), then resumes execution by manipulating thread contexts with Wow64SetThreadContext() and NtResumeThread().
“FormBook’s base address is 0x6E0000,” Fortinet adds, “and the RtlUserThreadStart() API is invoked to run the FormBook payload in a newly created thread.”
Organizations are urged to patch legacy software, disable legacy components like Equation Editor, and educate users about phishing threats.
Related Posts:
- Multi-Layered Attack: Formbook Stealer Bypasses Detection with Memory-Based Execution
- Malicious Emails Bypass Secure Email Gateways, Delivering FormBook Malware
- Fortinet Faces Potential Data Breach, Customer Data at Risk
- Cybersecurity Alert: CISA Adds Fortinet and GitHub Action Vulnerabilities to Exploited List
- Critical Fortinet Vulnerability Exploited: Hackers Deploy Remote Control Tools and Backdoors
Donate