Formbook Phishing Campaign with old Payloads
Essential information
- Published
- 07/01/2025 14:23
- Modified
- 07/01/2025 16:36
- Tags
- 2025-01-07 formbook stealer phishing process-hollowing steganography xml
- Related entities
- 1 observables, 10 techniques (mitre), 1 malware
Description
A recent phishing campaign has been observed delivering Formbook stealers through email attachments. The malware uses multiple stages and steganography to hide malicious files inside images. The infection chain involves three stages before the final payload: Purchase Order.exe, Arthur.dll, and Montero.dll. The attack begins with a spear-phishing email containing a purchase order and a zip file attachment. The malware employs various evasion techniques, including process hollowing, mutex creation, and adding itself to exclusion paths. It also creates scheduled tasks for persistence and can download additional payloads or receive commands from the threat actor's C2 server. The final payload is a highly obfuscated 32-bit MASM compiled binary.