No Macros Required: Design in RTF and Vulnerability in Office Exploited to Deliver Formbook RAT

Security researchers uncovered a multi-stage attack chain that takes advantage of a design behavior in Rich Text Format (RTF) files and a vulnerability in Microsoft Office (CVE-2017-8570) to deliver the Formbook remote access trojan (RAT). Here’s what organizations need to know to proactively respond to this threat:

[RELATED: Trickbot Data Stealer Adds Detection Evasion and Screen-Locking Features]

What is Formbook?

Formbook has keylogging and screenshot-grabbing capabilities. It can also download other payloads and other malicious components as well as steal then exfiltrate data. According to the researchers, this version of Formbook also has malicious components normally found in banking trojans.

In December 2017, Trend Micro observed several cybercriminal groups delivering Formbook and a plethora of other information-stealing malware. Their campaigns also employed RTF documents that exploited a different vulnerability (CVE-2017-11882).

[READ: Challenging problem of SMB security might need third party intervention]

The attack chain

The infection chain is two-pronged. The first stage of the attack involves spam email containing a Microsoft Word document (.docx) embedded with a malicious URL in the file’s frameset (HTML tags that contain frames needed to load documents). Once a would-be victim opens the file, an attacker-specified object will be retrieved then rendered in the document. In a Formbook sample the researchers reverse engineered, the URL redirects to another command-and-control (C&C) URL that has the exploit-laden RTF file. This attack does not require macros and shellcode.

The second stage of the infection chain abuses a design behavior in RTFs and exploits CVE-2017-8570 in order to infect the system with Formbook. When RTF documents are embedded with objects, the objects are automatically dropped in the Temp (%TEMP%) system folder. The Cobalt group is among those that also take advantage of this behavior in RTFs to deliver their information stealers. It then exploits the remote code execution vulnerability CVE-2017-8570 (patched in November last year) to execute the payload.

[READ: A historical overview of proactive incident response strategies and what they mean to enterprises]

What’s the impact, and how can this threat be mitigated?

While the techniques aren't new, the abuse of a normal program behavior and use of an exploit make this attack a credible threat. The multi-stage infection chain is also notable, indicating the groundwork its operators took to mount their attacks. These techniques also provide means to slip past security controls such as traditional sandboxes and perform its activities without raising red flags.

For instance, other cybercriminal or cyberespionage groups employ the same technique of using malformed RTFs to deliver their own information stealers, such as Loki and Pony/FAREIT. Knowing this helps system administrators and information security professionals broaden their approach when hunting for threats. What are Formbook’s entry points and what can be done to bridge their security gaps? What legitimate programs or tools were abused so they can be disabled and restricted on endpoints? Are its malicious activities hiding behind legitimate network traffic? Indeed, the apparent ease with which the malware can be deployed — and how it can bypass traditional security — calls for a proactive incident response strategy. This equips organizations with actionable intelligence helps them actively detect, analyze, and respond to threat.

Trend Micro Solutions

Trend Micro™ Deep Security™, Vulnerability Protection, and TippingPoint provide virtual patching that protects endpoints from threats that abuse unpatched vulnerabilities.  

Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network.  Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevent malware from ever reaching end users. At the endpoint level, Trend Micro™ Smart Protection Suites, deliver several capabilities that minimize the threat’s impact. 

These solutions are powered by the Trend Micro XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.