Formbook, a well-known family of malware that steals information by grabbing user input from forms, has been seen over the past months for actively repackaging itself to gain more ground in the threat landscape. This time we have seen a well-known RTF exploit, CVE-2017-11882, being used by threat actors to deliver this malware to unsuspecting users.
The RTF documents, detected by Cyren as RTF/CVE-2017-11882.S.gen!Camelot, have file sizes that range between 400KB up to 4.5MB, but the valid RTF objects only use up to around 10-12KB, which means a large part of the document is considered as garbage data to simply obfuscate and hide the exploit.
A quick view of the RTF document using the rtfobj tool shows that there are 2 embedded objects, a VBScript and an Equation.3 object, which is still widely seen as being exploited in the wild.
We have confirmed that the Equation.3 object is indeed exploited and used as the launcher for the embedded VBScript, with its main purpose of downloading and executing a base64 encoded Powershell script component from cdn.discordapp.com. The abuse on Discord’s content delivery network for purposes of serving malicious components is also evident after decrypting similar variants of the RTF exploits from this campaign. Shown below are snippets of the code and their decoded formats.
Reversed:
Decoded:
The downloaded data from Discord’s CDN, is a base64 encoded Powershell script that behaves similarly to a variant that was documented in November of 2020 (https://isc.sans.edu/forums/diary/PowerShell+Dropper+Delivering+Formbook/26806/), including the bypass of AMSI integration as highlighted in the decoded Powershell payload show below.
After bypassing AMSI a .NET compiled DLL encoded and stored in the variable $PROCESS_INFORMATION is decompressed and loaded as an assembly, which eventually executes a variant of Formbook using the code shown below.
Below is a view of the exported function from the loaded .NET compiled DLL used to execute the final malware payload.
Cyren detects these components as W32/Formbook.A.gen!Eldorado and W32/MSIL_Injector.XD.gen!Eldorado.
Indicators of Compromise
RTF SHA256 Detection Payload URL Payload Status/SHA256 009D0EF39D7E7E7214A08FCCA41DBA4A317E9D7B49D7E92F49665789DEDFE095 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/862048781591904299/862090521044320296/kk[.]jpg Forbidden 0696EB512977D206198880E11DB5D7EADED891169D1CF09B78A9C2F5882814E1 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/858636845646741525/858655966369939466/me[.]jpg 4cff6a218ea0f06863bdc1eb8b0c600eb713803ed0e33685cd0d2277efb6604e 06FE82A1C249FDC9887659328F84C40FFB6AD2C53C1DF734ACB792436BBF4AB5 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/863917896744697868/876624530662121562/dum[.]jpg Forbidden 12CE6ADBD6DA928E954DA05CD0363C9298538503BFA7A7778110BFA87514ADF6 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/877304277800992781/877308571807784981/dity[.]jpg 6e6ffe5db47b18bef1bbee787ae536f96da9e0ff267d6938a4f3ea0e5cce6857 1325A3FE68BCA676F499F3966B4D79F7D92DF6314C6AF65E55F01896AD438178 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/862048781591904299/862090521044320296/kk[.]jpg Forbidden 155B83A9EC6EA8E37DDD8EFC010A9B024C86D7DEA3F8C55807F808C64E422FCB RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/862048781591904299/863919401534488586/uk2[.]jpg ea2491a7bd87d63af00820ea351a683b53c5966ecbbafeb480544ea440ed6f56 184B11DDB5F12D820E029B7DF78715E3C3D9ABC96BFB068AD9AAF4791F18229E RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/862048781591904299/862090521044320296/kk[.]jpg Forbidden 1FB37B8E7914F5F7B12921F8B26930B3F33BA0963BEB1E360B07F069909F5736 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/862048781591904299/862051211071193088/uk[.]jpg Forbidden 264F0534CAB513547B16DD6089B22B8E87079D403159BA4550DC22C1C5BA4311 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/858636845646741525/858828768599736320/uk[.]jpg d82a7a011b28ce2b812e470832a01796f4d6e321813ce5c1344a5098b2136b84 27BDD3B800ED7059278CD0CB0D9FB7AA6581F96FA786F2D3429B3B9688765E10 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/877304217600163853/877306586413023292/sedhy[.]jpg eab9332fef5698637413fd1f106695769e54468bd064584ad7b26efae58322cf 28D683AAA60AF7E7B8D25B0906039A74C2DE39E48ECFE2973076C78D5D882568 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/861746472729706530/862052610085224469/chis[.]jpg ed712a6f60b442feed47a8d3e8e27ed4c2c33afd2036011e2de3c650f5891c51 28F4DFC5BCD904D3E5F67424E54608A249414F0915AE4230AD12BC893D344343 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/857370146892677153/857370572274663434/kachi[.]jpg Forbidden 2CE818E435137213162003E2AAA89A4BDBB67BA9416283C3646D84D5393D685B RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/856468905680568333/857425173410218004/Ashole[.]jpg Forbidden 311E2B73808FBB0B849C169592F49E5009E525292EF1A0E692CD88BBB543E6FC RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/857370146892677153/857370259077988352/seliii[.]jpg Forbidden 32904CCE1EED329EFC46EAFDB04E200EA32939056D9C45E12949F6ED96CA087C RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/877304217600163858/877306990811054090/selly[.]exe Forbidden 3AD92D43C4253E6328109ECBC58AC02716B2CDEE641DABABD44C473D2BF72522 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/857367161357860885/858828161671495680/mono[.]jpg Forbidden 44F060EEFB28B1D90759EB517C0E134E52164A2701E4F4D9DDBBBD27F48CCE2C RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/858827162500595715/858827264870711316/new[.]jpg Forbidden 4969F69C96A5CBADD091548C50485899B1F5173C148445FA78CC182A224120F6 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/877302520832213017/877307513006080030/prpro[.]jpg d50c10dd1c7f15ea44ad3cfd1fcd4a16a419f2b1be5f91d1bdc409cdf6115d9e 497A977375495AC590EE1CA2D037BB06E25ACE568747F8B9B5E1593A8D447865 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/858827162500595715/859551163598897182/noe[.]jpg Cloudflare Suspected as Phishing 4B8CB944B1BFA9C61BBCDB50C3255AE1061DA42899BDE8CF9FB0273C3786AF77 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/862048781591904299/862090521044320296/kk[.]jpg Forbidden 4CBDD332E3CC18DA5B80DFFB8068D4F6BCED41852CFA54B956C03B024A7E5E62 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/857367161357860885/857369777445666816/uk[.]jpg Cloudflare Suspected as Phishing 67401DFB76DDB38A32E6692AB78A6D5CF8709F70B343012769891D6C9B5AF8BC RTF/CVE-2017-11882.S.gen!Camelot hxxp://149[.]28[.]255[.]25/non/uk[.]jpg Forbidden 68B09A0C2CB7147702A5E200C77D95E5CE006DF063E692B7B528991FAB98D698 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/852313164061999177/852313406131142656/jet[.]jpg Forbidden 6DFDEBC98DC7C59153BDB12EF95FC2CB9411CA0428481AE3DCFCE02EE8039477 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/877309226614153249/877310041630339092/uk[.]jpg 77b3cd4676b383df6fc73ccb375af1505a169171a228f2f802d34329c1452eb7 70D1A011E1090D8CF8A1F3763EA20C72704759C353F551C43051D116DEBC5CE0 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/851563285463695361/851563781062131742/mainuk[.]jpg Forbidden 73F5B024E7C7242BF60841B1F9314ABA0A71001A2016EB49CBC96FFD49125759 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/861746472729706530/862053909036007424/neo[.]jpg a98cb11f32aaf20a634f4bf3ac90f326981e2df8c6e178a339efcc732cbed53a 7914E3AD726925BEA9D685249ED34DB9373DD8E3486C293A3634EDFBDED94CDC RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/862048781591904299/862090521044320296/kk[.]jpg Forbidden 7E56F75E20270E246612E230ACC8DB2D86AE9D8F8E0453B286BC0C108DD06C1B RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/862051529418342463/862052202780819456/pro[.]jpg 6c216ddc59d5a4a2945faab5786e447720bb162c5fd3a245b6373b0985a95038 7F36B366BB0DECFAB65DA72CDBF1524687DCC7E8F3DB8D1EE3A95352C2E83B67 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/863917896744697868/876623958877831198/dit[.]jpg Forbidden 7F37B2A036B189F5C691EDDD41960C1D23E879912D6FFA8C4B9E52BA533DB51B RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/862048781591904299/862090521044320296/kk[.]jpg Forbidden 7FA2B0707E132F23FB58B562386FB691D6EBE35294F93F68BE1DE43297AF1C30 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/857367161357860885/859535650280439838/min[.]jpg Forbidden 86C06644B47777703101A6D8E81852435600AD193B72C2D44C2BE067CBEBB0F7 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/862051529418342463/862051665875566622/se[.]jpg 038ed965ebe24f1c156b374486dd2cdb423ce5542cdacdb5a15d165bc8d90cec 88F76A8CE4D63F93390688297A06885F15F3436ABE4175AE538007A0484199C0 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/857367161357860885/857369777445666816/uk[.]jpg Cloudflare Suspected as Phishing 91EE2A99D9BCCBACF0427B3EDB77DE82FE6F31EC9D194AC5FC6E40A744725805 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/852311750077317195/852311806545362976/dumx[.]jpg 0639b11288df3a5d0552768a09cc759b1dfdbc0d4346a3e94a6fb7e36d401783 978D15E852F3CD2E7B420ABB7AA1CB579865AD880606981C48A67F8B86E9152E RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/853752928900743171/853753145162596382/2uk[.]jpg Cloudflare Suspected as Phishing 9F1E8D6E132F28C26381AA260F984F86AC6ADC89D9D8A4C855995138E2484961 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/852313164061999177/852313406131142656/jet[.]jpg Forbidden 9F3B874DBD102F68D6C1F77F0A393F4ACC59AE603D122CACFAD5232701BDB3EE RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/876493387455397942/876623240011841626/p[.]jpg d50c10dd1c7f15ea44ad3cfd1fcd4a16a419f2b1be5f91d1bdc409cdf6115d9e A9894D3DA0C489DB83A3579DB0FBB6F5F76A2EF6C2D6177B8572B989376533AB RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/861747648779649027/861749685525676052/neos[.]jpg Forbidden AEDC0D055A4753E7B137A3D0661731E0F455D2B8F4EE959B7732BEAF9E378499 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/858827162500595715/859550558162518047/pp[.]jpg Forbidden BB87AF0F1E3D26780A77AC4EBE4B814810935D9C5ECDD5AE5FE90AEEBCB8015E RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/876493387455397942/876621659182874644/se[.]jpg fc32f2d423d94e628a6b44331da96f68ae30c0b60ce521b143bf376ecc0111e6 CA88BC07598B37E8E2292F1A10E06C0ADB7C898D3F3039E53B18D77D7DB20105 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/852311750077317195/852312157709795348/zumx[.]jpg cd1acbd3f8d40f59b6e45601863bbd6950a3ce0d60a5c291c3a303a11f505abb DBCC4FE10CBBEDAB8CEA74C2BE3956E9AE3BFD7F180C8ABE5EC62AB7675F5DDD RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/863917896744697868/863919114955390976/pro[.]jpg Forbidden E2927074C551BB188B4C33BED9ADDC70C25DD3BB9A0F702874A6AE44039A3532 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/858827162500595715/858827757320404992/ukkni[.]jpg Forbidden E5E247EC942E77762120486C7C5B3DD2F4C600F9CA70037DDF4E5D99D5126806 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/862048781591904299/862050935912398878/shedy[.]jpg Forbidden EB171136FC6278864DD32189DA39106FE93B9CE615E3A72311C2A32C583E1738 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/857367161357860885/858821743116025866/pro[.]jpg Forbidden ECCD3CC4B22869B3059427CA08A773926E078E31996DE9C1DEEB71160D04CEE4 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/877304277800992781/877307941764616262/dum[.]jpg ebe51ebdb52ebfcd45c9b90d15f9d2142586194d6ce818640a799bf8bb1e5480 EE2C1AAA130A75F5C882A2D3F1DB2EED38C6A67EFEB8A2104CBA07C1FA0F02B7 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/857367161357860885/857369410172223538/pro[.]jpg Forbidden F611BA47D87C22DDA81B81909D4EAB3A4C2CF51E495459C262DD3B51E42B11A2 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/852272720120119330/852304158995513374/2ukl[.]jpg Forbidden FD01045F31EF0FECADCFF000EF64A9CAE53DC8CA6CAA6D109C233C6F2D8C2B14 RTF/CVE-2017-11882.S.gen!Camelot hxxps://cdn[.]discordapp[.]com/attachments/861746472729706530/861749286299762708/pro[.]jpg Forbidden[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]