216.73.216.78

End-of-Year PTO: Days Off and Data Exfiltration with Formbook

· Published 06/12/2024 22:10 · Modified 09/12/2024 12:01

Export JSON

Essential information

Published
06/12/2024 22:10
Modified
09/12/2024 12:01
Tags
2024-12-06 autoit credential harvesting data exfiltration formbook holiday-themed keylogging phishing process injection
Related entities
6 techniques (mitre), 1 malware

Description

A campaign disguised as an end-of-year leave approval notice has been intercepted by the Cofense Defense Center. The malicious email, masquerading as HR communication, tricks recipients into clicking a link that leads to the deployment of malware. The email contains red flags such as an external sender warning and a SendGrid-wrapped URL. The malware, an compiled executable, uses techniques to evade detection and execute its payload. performs reconnaissance, injects code into svchost.exe and Utilman.exe, and carries out , , and . The attack exploits the urgency of year-end leave scheduling to infiltrate organizations and steal sensitive information.

External references