216.73.216.133

Formbook Phishing Campaign with old Payloads

· Published 07/01/2025 14:23 · Modified 07/01/2025 16:36

Export JSON

Essential information

Published
07/01/2025 14:23
Modified
07/01/2025 16:36
Tags
2025-01-07 formbook stealer phishing process-hollowing steganography xml
Related entities
1 observables, 10 techniques (mitre), 1 malware

Description

A recent campaign has been observed delivering Formbook stealers through email attachments. The malware uses multiple stages and to hide malicious files inside images. The infection chain involves three stages before the final payload: Purchase Order.exe, Arthur.dll, and Montero.dll. The attack begins with a spear- email containing a purchase order and a zip file attachment. The malware employs various evasion techniques, including process hollowing, mutex creation, and adding itself to exclusion paths. It also creates scheduled tasks for persistence and can download additional payloads or receive commands from the threat actor's C2 server. The final payload is a highly obfuscated 32-bit MASM compiled binary.

External references