The analyzed threat involves the FormBook malware being delivered through a complex, multi-stage infection chain starting with a malicious Visual Basic Script (VBS) file named "Payment_confirmation_copy_30K__202512110937495663904650431.vbs" embedded in a ZIP archive attached to a phishing email. The VBS script is obfuscated but relatively straightforward to reverse engineer. It begins with a 9-second delay loop designed to evade sandbox and automated analysis by avoiding typical sleep() calls flagged by security tools. The script then dynamically constructs a heavily obfuscated PowerShell script by concatenating fragmented strings, including the hidden keyword "PowerShell" encoded as an array of character codes. This PowerShell script is executed via the Shell.Application COM object. The PowerShell code itself uses custom string deobfuscation functions to reconstruct commands and payload URLs. It attempts to download a secondary payload from a Google Drive URL, saving it to the victim's roaming profile directory. This payload is another PowerShell script that further deobfuscates and eventually injects the FormBook executable payload into a legitimate msiexec.exe process, hiding its presence. The FormBook binary (SHA256: 12a0f592ba833fb80cc286e28a36dcdef041b7fc086a7988a02d9d55ef4c0a9d) communicates with a command-and-control server at IP 216.250.252.227 on port 7719. FormBook is a known information stealer capable of harvesting credentials, keylogging, and exfiltrating sensitive data. The multi-stage, script-based infection chain is designed to evade detection by antivirus and endpoint security solutions by using obfuscation, delayed execution, and living-off-the-land techniques such as msiexec injection. The attack vector is phishing emails with malicious attachments, a common and effective delivery method. No known exploits in the wild beyond this phishing vector are reported. The threat was analyzed and reported by a SANS ISC handler, with detailed reverse engineering insights provided.

European organizations face significant risks from this FormBook infection chain due to the widespread use of Microsoft Windows environments and reliance on email communications, which are the primary infection vector. Successful compromise can lead to credential theft, unauthorized access to corporate networks, and data exfiltration, impacting confidentiality and potentially integrity of sensitive information. Financial institutions, government agencies, and critical infrastructure sectors are particularly vulnerable given the value of their data and the potential for espionage or fraud. The stealthy multi-stage infection and process injection techniques complicate detection and response, increasing dwell time and potential damage. The use of legitimate system processes like msiexec for payload execution can bypass traditional endpoint protection mechanisms. Additionally, the malware’s ability to communicate with external C2 servers enables ongoing control and data theft. This can result in regulatory compliance violations under GDPR due to personal data breaches, financial losses, reputational damage, and operational disruptions. The phishing delivery method also poses a risk to individual employees, potentially leading to broader network compromise if lateral movement occurs.

To mitigate this threat effectively, European organizations should implement advanced email security solutions capable of detecting and blocking malicious attachments, especially those containing obfuscated scripts like VBS and PowerShell. Deploy sandboxing technologies that can analyze multi-stage payloads and delayed execution behaviors. Enforce strict application control policies to restrict execution of scripts from email attachments and user directories, including disabling or limiting Windows Script Host (wscript/cscript) and PowerShell execution via Group Policy or AppLocker/Windows Defender Application Control. Enable PowerShell logging and script block logging to detect suspicious script activity and anomalous command execution. Monitor network traffic for connections to unusual external IPs or domains, particularly those associated with known C2 servers. Employ endpoint detection and response (EDR) tools capable of identifying process injection and living-off-the-land techniques such as msiexec.exe misuse. Conduct regular phishing awareness training for employees to reduce the likelihood of successful social engineering. Maintain up-to-date antivirus signatures and threat intelligence feeds to improve detection rates. Finally, implement robust incident response procedures to quickly isolate and remediate infected hosts upon detection.