This content has been archived
This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk
Summary
Affected platforms
The following platforms are known to be affected:
Threat details
It is suggested this is delivered through phishing campaigns as social engineering techniques are employed in an attempt to deliver the payload to the target machine.
Two vulnerabilities are exploited to deliver FormGrabber. The first is a historic buffer overflow vulnerability existing in Microsoft Equation Editor (CVE-2017-11882) and the second is due to the patch for the former vulnerability not being fully effective (CVE-2018-0802) The payload is the same regardless of which exploit is used, with the %temp%\intel.scr file being executed.
Contained within the email is a Rich Text File (RTF) document containing a Virtual Basic (VB) script, when opened the VB script runs deploying the malware and launching a.bat script, which disables the echo function, meaning nothing is printed to the command line, an effective tactic to avoid detection. When the main payload is executed, a decoy document is also copied into the original location of the first entry and opened, so when Word starts up again the decoy document will be present.This leaves a note that gives the victim an alert of the attack.
Remediation steps
| Type | Step |
|---|---|
|
CVE Vulnerabilities
Last edited: 17 February 2020 12:43 pm