Cybersecurity researchers have uncovered a new Formbook malware campaign that uses weaponized ZIP archives, multi-layered scripts, and advanced obfuscation techniques to evade detection. This attack chain relies heavily on phishing emails, disguised VBS scripts, and staged payload execution to install the infamous Formbook infostealer on targeted systems.
Phishing Emails Deliver Malicious ZIP Attachments
The infection begins with phishing emails containing ZIP files that appear to hold business-related documents. Hidden inside these archives is a malicious VBS script masquerading as a payment confirmation file. Examples include filenames like:
Payment_confirmation_copy_30K__20251211093749.vbs
Once opened, the script launches a sophisticated multi-step attack designed to bypass traditional antivirus detection.
Multi-Stage Script Execution to Evade Security Tools
The attackers use several scripting layers—including VBS, PowerShell, and executable payloads—to hide Formbook’s deployment. This modular structure makes detection difficult for both automated tools and human analysts.
Researchers from the Internet Storm Center reported that only 17 out of 65 antivirus engines detected the initial VBS file, highlighting the effectiveness of its obfuscation.
How the Obfuscated VBS Script Works
The malicious VBS script uses several deceptive techniques to avoid detection:
1. Delayed Execution to Bypass Sandboxes
The script begins with a 9-second delay loop, designed to avoid sandbox systems that monitor new files for immediate malicious behavior:
Dim Hump
Hump = DateAdd("s", 9, Now())
Do Until (Now() > Hump)
Wscript.Sleep 100
Frozen = Frozen + 1
Loop
2. Obfuscated PowerShell Payload Creation
The VBS file constructs a PowerShell command by assembling fragmented text strings and hiding key terms—such as “PowerShell”—using numeric codes.
Once built, it is executed via Shell.Application, further masking its intent.
PowerShell Downloads and Installs Formbook Malware
The PowerShell script retrieves the next-stage payload from Google Drive and stores it in the user’s AppData folder. After downloading, it launches msiexec.exe, a legitimate Windows installer process, and injects the Formbook malware into it to avoid suspicion.
Once active, Formbook connects to its command-and-control server located at:
216.250.252.227:7719
This server issues commands, receives stolen data, and coordinates further malicious activity.
Why This Campaign Is Effective
This Formbook campaign succeeds due to its:
- Multi-stage architecture
- Script-based obfuscation
- Use of trusted Windows processes
- Low antivirus detection rates
- Legitimate hosting sources (e.g., Google Drive)
The combination of these tactics allows attackers to slip past many modern security systems.
Conclusion
The latest Formbook malware attacks show how threat actors continue to refine their techniques to stay ahead of security defenses. Organizations should enhance their email security, monitor script activity, and deploy behavioral-based detection tools to prevent infections from advanced threats like Formbook.
