Threadkit, Formbook Exploit Old Microsoft Vulnerability

Sivan NirFeb 6, 2019

A vulnerability first discovered and patched by Microsoft in July 2017 has been exploited again by Threadkit (an exploit kit popular among low-skilled attackers) via the Formbook malware (a data stealer and form grabber). This serves as a timely reminder about how important it is to install update patches when they’re released.

The origins of this vulnerability can be found all the way back in July 2017 when Microsoft published CVE-2017-8570, a high-severity code execution vulnerability in Office. Although Microsoft released a patch the same month, the vulnerability was still exploited in the wild. The  first reported exploit came one month later, with a subsequent instance from ThreadKit following in March 2018. And now a third exploit has been spotted, one and a half years after the vulnerability was first published.

How Does the Exploit by Formbook Work?

The exploit works by emailing a Word document to the user. The email address and the subject appear to be authentic: they contain details that look real and often mimic the addresses and the verbiage of genuine companies. This social engineering method helps to establish trust with the user, leaving them with few reservations about opening the attached file.

If the user is fooled by the email and then click the attachment, the RTF file opens and closes almost immediately. While this looks like Word has simply collapsed, what’s actually happening is that it’s downloading and extracting a ZIP file. Another fake Word document, containing the source code for a phishing HTML page and the malware payload, is stashed within this ZIP file.

The user is unaware that this is happening. All they see is the original Word document appearing on their screen. For all intents and purposes, they believe that Word crashed and then rebooted. They have little idea that they’re now harboring a malicious stowaway that’s ingesting their confidential data.

  • How to Protect Yourself Against the Formbook Malware

Thankfully, the effects of this exploit, and others like it, can be avoided by installing patches when they’re released. But for many operations teams, a patch from the summer 2017 — for a non-critical vulnerability — doesn’t just jump to the front of the to-do list.

In organizations where threat intelligence isn’t regularly incorporated in patch prioritization, this vulnerability will likely remain unpatched.

Skybox first alerted customers to the exploitability of the vulnerability in August 2017, raising the remediation priority to “urgent.” A further See how our threat-centric vulnerability management approach prioritizes vulnerabilities by exploitability and exposure  in our e-book.

As a general note of caution when using Microsoft Office: make sure to disable editing mode and macros as they could enable the payload to be launched from a malicious file simply by opening it or by hitting a common keyboard shortcut. In most cases, Office products prevent macros from running by default but it’s good to check. And, as always, exercise extreme caution when opening email attachments, even if they’re from what appears to be a genuine source. It’s only too easy to fall into the cybercriminals’ traps.

Related posts

Vulnerability and Trends Threat Report 2019: Microsoft Windows was the third most exploited product in 2018, behind Google Android and Adobe Acrobat. Read more in the latest report from the Skybox Research Lab.

Zero-Day Attack on Russia Prompts OOB Patches: Read what happened when a malicious Word document was used to exploit an Abobe Flash Player bug in a targeted zero-day attack on Russia in late 2018

Sivan Nir is a senior analyst in the Skybox Research Lab, a team of dedicated vulnerability researchers who aggregate and analyze vulnerability data from more than 30 public and private vulnerability data sources. Sivan has more than 10 years’ experience  in business intelligence data analysis. Sivan holds an MBA and a bachelor’s degree in Biotechnology Engineering.

Recent Posts

What’s new in the Skybox Security version 11.5 release
Read More
Cryptomining is hottest new malware type, research reveals
Read More
Three ways to modernize your OT security programs
Read More
How to manage third-party cyber risk in banking and financial services
Read More
Vulnerability and Threat Trends Report highlights the importance of cyber exposure analysis that goes beyond CVSS rating
Read More
Skybox 2021 Vulnerability and Threat Trends mid-year report
Read More