FormBook Returns: Exploiting CVE-2017-0199 via Malicious Excel Attachments in New Phishing Campaign
Ddos 
Image: FortiGuard Labs
FortiGuard Labs has uncovered a renewed phishing campaign that leverages the eight-year-old CVE-2017-0199 vulnerability to deploy FormBook, a notorious infostealer malware.
The phishing campaign starts with an email that impersonates a sales order, urging victims to open a malicious Excel document. “The emails deliver an Excel file designed to exploit the CVE-2017-0199 vulnerability,” FortiGuard researchers explained. Once opened in a vulnerable version of Microsoft Office (2007–2016), the document triggers a malicious HTTP request that downloads an HTA file, which executes a sequence of payloads leading to FormBook installation.
The infection chain is multilayered and evasive:
- Malicious Excel Attachment → Triggers CVE-2017-0199
- HTA File Downloaded → Contains Base64-encoded script
- Script Downloads “sihost.exe” → Contains an embedded AutoIt resource named SCRIPT
- AutoIt Logic Extracts “springmaker” → XOR decoded using 3NQXSHDTVT2DPK06
- Decoded Payload → Launches FormBook Malware
“By analyzing sections of the obtained sample… it begins with the byte sequence… characteristic of executable files generated by Aut2Exe from AutoIt scripts,” the report explains.
Advanced anti-analysis techniques are used, including:
- IsDebuggerPresent checks to evade sandboxing
- XOR encryption for obfuscation
- Stealthy use of AutoIt scripting for runtime payload execution
The final payload is the FormBook malware, known for its credential-stealing capabilities. It harvests:
- Keystrokes
- Clipboard data
- Login credentials
- Network traffic
“FormBook is an information-stealing malware known for its ability to capture sensitive data,” FortiGuard notes. Once installed, it can exfiltrate data to attacker-controlled servers—leading to identity theft, credential compromise, and full system compromise.
Despite being patched in 2017, CVE-2017-0199 remains a potent exploit due to widespread use of outdated software in corporate and small-business environments.
Related Posts:
- Fileless Remcos RAT Campaign Leverages CVE-2017-0199 Flaw
- Multi-Layered Attack: Formbook Stealer Bypasses Detection with Memory-Based Execution
- Researcher Uncovers New Phishing Campaign Deploying Remcos RAT with Advanced Evasion Techniques
- Malicious Emails Bypass Secure Email Gateways, Delivering FormBook Malware
- FormBook Malware Spreads via Sophisticated Phishing Attack
Donate