Summary:
The article discusses a phishing email disguised as an HR communication regarding end-of-year leave approvals. This malicious email, which contains a link to download FormBook malware, exploits the urgency of holiday scheduling to deceive recipients. The analysis reveals various technical aspects of the malware and highlights the importance of employee training in recognizing such threats.
#PhishingScams #FormBookMalware #EmailSecurity
The article discusses a phishing email disguised as an HR communication regarding end-of-year leave approvals. This malicious email, which contains a link to download FormBook malware, exploits the urgency of holiday scheduling to deceive recipients. The analysis reveals various technical aspects of the malware and highlights the importance of employee training in recognizing such threats.
#PhishingScams #FormBookMalware #EmailSecurity
Keypoints:
Phishing email impersonates HR communication about leave approvals.
Email includes a malicious link that leads to FormBook malware.
Red flags include the email being marked as an external sender and suspicious links.
Malware is disguised as a .zip file containing an executable.
FormBook malware is capable of credential harvesting and keylogging.
Technical analysis reveals the use of AutoIt for process injection.
Recommendations for employees include verifying email sources and inspecting links.
MITRE Techniques:
Valid Accounts (T1078): Abuse credentials of existing accounts.
Execution (T1106): Compiled with AutoIt for execution.
DLL Side-Loading (T1574.002): Execute malicious payloads by side-loading DLLs.
Process Injection (T1055): Inject malicious code into trusted processes.
OS Credential Dumping (T1003): Attempt to dump credentials from the operating system.
IoC:
[URL] hXXp://www[.]7261ltajbc.bond/cbbl/?aX=paPsyhkx/nE5gApOwy99MfqP09TNE5t/PnUzFNUQtr02YB3yPLZBROPMMVRkOMhc4Y+f4YmWe6fkW51HF6bKgtyZQkenfIZhWb80W8tCuarD22utTQitiVGOqTZqIbb31lBrl2g=&YHuX=yftHppt154[.]12[.]28[.]184
[URL] hxxps[://]www[.]google[.]com/url?q=hxxps[://]cdn[.]discordapp[.]com/attachments/1309071256703991839/1309114652906491935/
[File Name] Mandatory_Notice_for_all_December_Leave_and_Vacation_application.exe
[File Hash] MD5: 201ad7754669b4d766349530adcca029
[File Hash] SHA256: E16A801F068E55F9B014AC4B4CDE9415FEC763830EF433CB4EB3E0EE9734BF04
[File Name] Mandatory_Notice_for_all_December_Leave_and_Vacation_application.xls.z
[File Hash] MD5: 7e78e1c67017e5fd2f63c2744358198f
[File Hash] SHA256: 0583eb0dfc05ee6889f49e0da5cb7e48128cb41db627a64045d74e11fa85754c
Mitigation:
Train employees to verify email sources and ensure sender domains match official channels.
Encourage users to inspect links before clicking by hovering over them to confirm legitimacy.
Advise caution with urgent requests and to pause and evaluate emails that push for immediate action.
Full Research: https://cofense.com/blog/end-of-year-pto-days-off-and-data-exhilaration-with-formbook