Briefing Malware

Briefing Malware - 28/12/2021

28th of December 2021 - Winners of the 52th week : Redline, NjRAT and AsyncRAT.

Some links points at extended actionnable intelligence (Threat Bulletins, TTPs, signatures, etc) on our Threat Intelligence Platform Anomali. This access is limited to our clients.


Threat statistics report

Publication date:


Distribution :


What's new?

Formbook (NC)

Attackers test “CAB-less 40444” exploit in a dry run

During September 2021, the main issue Cyber security researcher faced was #CVE-2021-40444, a vulnerability impacting all the #Microsoft Office products and allowing a Remote Code Execution (#RCE). This vulnerability was used as an initial access vector targeting the #Russian Ministry of Interior and #State Rocket Center. It was patched by #Microsoft in September’s Patch Tuesday. However, attackers were trying to exploit this vulnerability before the patch is applied and some mitigations involving #ActiveX installation deactivation had to be performed to prevent exploitation via an initial #CAB file method.

#Sophos Labs discovered a campaign that attempted to bypass mitigation measures in place at this time by packaging the exploit inside a #RAR archive file. The adversary could take advantage of the fact that in RAR5 standard, any code before RAR magic bytes will not be treated. Therefore, it is possible to insert a #Visual Basic script which will be executed when the word document inside the archive is extracted and opened, triggering the download of #Formbook malware. This technique will not work on a fully patched system at the time of writing of this article.

#Formbook is active since 2016 and is one of the most established #information stealer constantly evolving to stay attractive to attackers.


Download the report