{"id":18464,"date":"2022-03-09T12:10:02","date_gmt":"2022-03-09T20:10:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/03\/09\/news-12197\/"},"modified":"2022-03-09T12:10:02","modified_gmt":"2022-03-09T20:10:02","slug":"news-12197","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/03\/09\/news-12197\/","title":{"rendered":"FormBook spam campaign targets citizens of  Ukraine\ufe0f"},"content":{"rendered":"<p><strong>Credit to Author: Threat Intelligence Team| Date: Wed, 09 Mar 2022 19:35:09 +0000<\/strong><\/p>\n<p>Our Threat Intelligence team has been closely monitoring cyber threats related to the war in Ukraine. Today, we <a href=\"https:\/\/twitter.com\/MBThreatIntel\/status\/1501561403370610691?s=20&amp;t=hJY3PIyy1Zywc92qd93JNg\" target=\"_blank\" rel=\"noreferrer noopener\">discovered<\/a> a malicious spam campaign dropping the Formbook stealer specifically targeting Ukrainians.<\/p>\n<p>Formbook is part of a long-running malspam operation that we observe on a regular basis. This time, the email lure is written in Ukrainian and tricks victims into opening an alleged letter of approval to receive funds from the government.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" data-attachment-id=\"54982\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/03\/formbook-spam-campaign-targets-citizens-of-ukraine%ef%b8%8f\/attachment\/ukraine1\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/03\/ukraine1.png\" data-orig-size=\"770,588\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"ukraine1\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/03\/ukraine1-300x229.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/03\/ukraine1-600x458.png\" loading=\"lazy\" width=\"770\" height=\"588\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/03\/ukraine1.png\" alt=\"\" class=\"wp-image-54982\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/03\/ukraine1.png 770w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/03\/ukraine1-300x229.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/03\/ukraine1-600x458.png 600w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/figure>\n<p>The email can be translated as:<\/p>\n<pre id=\"tw-target-text\" class=\"wp-block-preformatted\">Dear citizens, we inform you that you are not alone in this difficult time, we in the authorities are doing everything possible to protect our citizens.   All citizens receive support from the Federal Government in the amount of 15,000, we want to say that you must protect each other, this is a difficult time for everyone, together with God we will fight this difficult time.   Your letter of approval is added   Sincerely.<\/pre>\n<p>Upon opening the file called \u043b\u0438\u0441\u0442 \u043f\u0456\u0434\u0442\u0440\u0438\u043c\u043a\u0438.xlsx (support letter.xlsx), an exploit for CVE-2017-11882 will attempt to compromise the machine in order to download the Formbook payload from a remote server.<\/p>\n<p>This is not the first &#8212; and certainly won&#8217;t be the last &#8212; time we see threat actors taking advantage of crises. As heartless as it looks, we realize that malware and criminal operations are always ongoing.<\/p>\n<p>Malwarebytes customers were protected from this attack thanks to our Anti-Exploit protection layer.<\/p>\n<h2>Indicators of Compromise<\/h2>\n<p><strong>Email subject<\/strong><\/p>\n<p>\u043b\u0438\u0441\u0442 \u0441\u0445\u0432\u0430\u043b\u0435\u043d\u043d\u044f \u043a\u0430\u0441\u043e\u0432\u043e\u0433\u043e \u0437\u0430\u0431\u0435\u0437\u043f\u0435\u0447\u0435\u043d\u043d\u044f &#8211; \u043c\u0456\u043d\u0456\u0441\u0442\u0440<\/p>\n<p><strong>Formbook maldoc<\/strong><\/p>\n<p>\u043b\u0438\u0441\u0442 \u043f\u0456\u0434\u0442\u0440\u0438\u043c\u043a\u0438.xlsx<br \/>7d39e6ca46c053c1ad744de1ca8867217596bb17bb673785eb8827b00c5ae05b<\/p>\n<p><strong>Formbook URL<\/strong><\/p>\n<p>103.167.92[.]57\/xx_cloudprotect\/vbc.exe<\/p>\n<p><strong>Formbook payload<\/strong><\/p>\n<p>b5f79bb30d60794b7edbf486fa96a11c1ac3ba34592a496379020e8379f281be<\/p>\n<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/03\/formbook-spam-campaign-targets-citizens-of-ukraine%ef%b8%8f\/\">FormBook spam campaign targets citizens of  Ukraine\ufe0f<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/03\/formbook-spam-campaign-targets-citizens-of-ukraine%ef%b8%8f\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Threat Intelligence Team| Date: Wed, 09 Mar 2022 19:35:09 +0000<\/strong><\/p>\n<p>A new malspam campaing is delivering Formbook to Ukrainian citizens, targeting them with a lure of government funds.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/03\/formbook-spam-campaign-targets-citizens-of-ukraine%ef%b8%8f\/\">FormBook spam campaign targets citizens of  Ukraine\ufe0f<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[25287,11928,12040,8642],"class_list":["post-18464","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-formbook","tag-malspam","tag-threat-intelligence","tag-ukraine"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18464","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18464"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18464\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18464"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18464"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18464"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}