Identifying exploits and adversary tradecraft of FORMBOOK information-stealing campaign


We wanted to call out some great adjacent research from the team at Sophoslabs Uncut that was released on December 21, 2021. Research groups frequently analyze similar (or in this case, identical) campaigns through their own unique lens. This is fantastic for the security community, as the campaign gets more eyes and different perspectives applied towards the same problem.

Elastic researches exploits, vulnerabilities, and threats on an ongoing basis. Recently, we published research that covers the FORMBOOK campaign that steals information through a phishing campaign and takes advantage of the MSHTML exploit chain. While researching the FORMBOOK campaign, the Elastic Security Intelligence & Analytics team found campaign phases as well as shared infrastructure through a tradecraft oversight. This allowed the different phases to be associated and show how the campaign evolved over time.

On September 7, 2021, Microsoft confirmed a vulnerability for the browser rendering engine used in several applications such as those within the Microsoft Office suite. Within three days [1] [2], proof-of-concept code was released, highlighting the maturity of the exploit development ecosystem and underscoring the importance of proactive threat hunting and patch management strategies.

In a nutshell, the research shows the following:

  • The speed at which vulnerability PoC’s are being released highlights the need to leverage threat hunting to identify post-exploitation events before patches can be applied
  • A FORMBOOK campaign was observed combining infrastructure that allowed testing and production phases to be linked together
  • Patching for the MSHTML exploit appears to be effective as the campaign shifted from attempting to use the exploit to a traditional phishing malware-attachment approach
  • The campaign required a multi-process attack chain to load a DLL file onto victim systems

The Elastic research on this campaign is comprehensive and includes a full overview and analysis, including information on testing infrastructure and the production phase. Elastic also shares how you can detect and defend against specific indicators of this campaign, along with associated indicators of compromise.

This situation is developing as more research about FORMBOOK and its impact is still being identified. This campaign is in the early stages, so expect us to post more on this topic as we uncover the proper cybersecurity measures to take to protect your organization.

In the meantime, you can try Elastic Security with a free 14-day trial of Elastic Cloud. Or download the self-managed version of the Elastic Stack for free.