Beware of malware offering “Warm greetings from Saudi Aramco”


Recently, the Malwarebytes Threat Intelligence Team found [a Formbook campaign](<https://twitter.com/MBThreatIntel/status/1499435858537107459>) targeting oil and gas companies. The campaign they discovered was delivered by a targeted email that contained two attachments, one is a pdf file and the other an Excel document. ## Formbook The Formbook malware is an information stealer that is in use by many threat actors. Formbook has been around since 2016 and is readily available on [dark web](<https://blog.malwarebytes.com/explained/2021/09/what-is-the-dark-web-the-dark-web-explained/>) market places. ## The email The email pretends to be from Saudi Aramco, a Saudi Arabian public petroleum and natural gas company, and one of the largest companies in the world by revenue. The email asks the receiver to provide an offer for refinery renovations that requires a swift response. It read: Dear Sir, Warm Greetings From Saudi Aramco. We request you to furnish your best, complete, exclusive and competitive techno-commercial offer to our esteemed company for the supply of below mentioned item(s) on or before 10-March-2022. Your offer should conform to all the specifications (FIT, FORM and FUNCTION) mentioned in our requisition including the following information: 1. Manufacturer's Name and Country of Origin. 2. Latest Delivery Date and Shipment Terms. 3. Estimated Weight / Volume or Dimensions of the quoted item(s) / Final Package. 4. Cost of attestation of documents from chamber of commerce shall be borne by the Supplier. 5. Warranty Period. 6. Product Specifications / Data Sheet, Drawings, and Catalog (if available) 7. Payment Terms 8. Partial Order acceptable or not acceptable. 9. Offer Validity: 90 Days. END USER: SEC (Saudi Arabian Oil Company) End Destination : Saudi Arabia If you need any more information, please don't hesitate to contact us. Please acknowledge the email along with the attachment (download below) and confirm your willingness to quote Best regards, ![email body](https://blog.malwarebytes.com/wp-content/uploads/2022/03/email_body-600x301.png)_A screenshot of the email_ ## The attachments The attached pdf file contained an embedded Excel object. The embedded object downloaded a remote template that exploits [CVE-2017-11882](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882>) to download and execute the FormBook malware. This vulnerability exists in Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 and allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory. If the current user is logged on with administrative user rights, this means an attacker could take control of the affected system. The attached Excel document has the same functionality as the embedded excel object in the pdf file. ## IoCs for this campaign ### **Attachments** c421a4309d8fe9fa9bdfe1bde69ccce3 f260e184fb067d3b646af3574e901c05 da4fcf9512dbdf5fa8a6dc88a646100e 7f5da76f29cf8238ed1f944b1d0e587a bb65278dd77988f8a7bad219b524384c ### **C2s** czuj.info vzddc.com habitatsaludable.website modhotels.store maxxflush.com ## Malwarebytes Malwarebytes users were protected against this campaign, because the Malwarebytes Anti-Exploit module blocked the execution of the malware. ![MBAE block](https://blog.malwarebytes.com/wp-content/uploads/2022/03/blocked-600x440.png)_Exploit blocked_ Stay safe, everyone! The post [Beware of malware offering "Warm greetings from Saudi Aramco"](<https://blog.malwarebytes.com/threat-intelligence/2022/03/beware-of-malware-offering-warm-greetings-from-saudi-aramco/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).