A new wave of document attacks targeting inboxes do not require enabling macros in order for adversaries to trigger an infection chain that ultimately delivers FormBook malware.
Researchers at Menlo Security are reporting a wave of attacks that began last month that are targeting financial and information service sectors in the Middle East and United States. The method of infection includes a new multi-stage infection technique.
The company, which released details of the method Monday, said that attacks are adept at evading security solutions such as sandboxes and AV solutions, which fail when there is no malicious content or rogue links in a document to detect.
“The absence of active code or shellcode in the first stage malicious document, which was sent as an email attachment, is noteworthy because this attack relies on a remotely-hosted malicious object,” said Vinay Pidathala, director of security research at Menlo Security.
Researchers said attackers are exploiting “design flaws” in the document formats .docx and RTF, in combination with abusing unpatched instances of a remote code execution vulnerability
CVE-2017-8570 – patched in July 2017.
........
........
........