Threadkit, Formbook Exploit Old Microsoft Vulnerability shows an uptick

E-mail messages are frequently sent over untrusted networks that are outside the organization’s security boundary. When these messages lack any appropriate security safeguards, they can be read, copied, and modified at any point. In India alone email marketing has been extensively utilized in the media, IT and telecom, retail/e-commerce, travel and leisure, and the BFSI industries as the primary source of marketing for business expansion purposes and customer retention and satisfaction.

As per the study, in 2016, the worldwide market for email marketing stood at US $4.51 billion. Expanding at a healthy CAGR of 19.60% between 2017 and 2025, this market is likely to touch US $22.16 billion by the end of 2025.

E-mail security relies on principles of good planning and management that provide for the security of both the e-mail system and the IT infrastructure if a there is no proper security system the attackers can exploit the email to gain control over organization and access confidential information.

According to a research, a file-hosting service registered within the last week is being used to spread information and stealing malware in another FormBook campaign, currently attacking retail and hospitality businesses both within and outside of the US.

Recently, in a blog researchers wrote, “As with many information stealing and credential harvesting malware, FormBook’s infection chain starts with a phishing Email containing a malicious attachment, which is generally an Office document or a PDF file.”

The vulnerability was first discovered and patched by Microsoft in July 2017 now is being exploited again by ThreadKit (an exploit kit popular among low-skilled attackers) via the Formbook malware (a data stealer and form grabber). This serves as a timely reminder about how important it is to install update patches when they’re released.

The origins of the vulnerability can be found all the way back in July 2017 when Microsoft published CVE-2017-8570, a high-severity code execution vulnerability in Office. Although Microsoft released a patch the same month, the vulnerability was still exploited in the wild. The first reported exploit came one month later, with a subsequent instance from ThreadKit following in March 2018. And now a third exploit has been spotted, one and a half years after the vulnerability was first published.

How Does the Exploit by Formbook Work?

The exploit works by emailing a Word document to the user. The email address and the subject appear to be authentic: they contain details that look real and often mimic the addresses and the verbiage of genuine companies. This social engineering method helps to establish trust with the user, leaving them with few reservations about opening the attached file.

If the user is fooled by the email and then clicks the attachment, the RTF file opens and closes almost immediately. While this looks like Word has simply collapsed, what’s actually happening is that it’s downloading and extracting a ZIP file. Another fake Word document, containing the source code for a phishing HTML page and the malware payload, is stashed within this ZIP file.

The user is unaware that this is happening. All they see is the original Word document appearing on their screen. For all intents and purposes, they believe that Word crashed and then rebooted. They have little idea that they’re now harbouring a malicious stowaway that’s ingesting their confidential data.

How to Protect Yourself Against the Formbook Malware?

Thankfully, the effects of this exploit, and others like it, can be avoided by installing patches when they’re released. But for many operations teams, a patch from the summer 2017 — for a non-critical vulnerability — doesn’t just jump to the front of the to-do list.

In organizations where threat intelligence isn’t regularly incorporated in patch prioritization, this vulnerability will likely remain unpatched.

Skybox first alerted customers to the exploitability of the vulnerability in August 2017, raising the remediation priority to “urgent.” A further See how our threat-centric vulnerability management approach prioritizes vulnerabilities by exploitability and exposure in our e-book.

As a general note of caution when using Microsoft Office: make sure to disable editing mode and macros as they could enable the payload to be launched from a malicious file simply by opening it or by hitting a common keyboard shortcut. In most cases, Office products prevent macros from running by default but it’s good to check. And, as always, exercise extreme caution when opening email attachments, even if they’re from what appears to be a genuine source. It’s only too easy to fall into the cybercriminals’ traps.