A new wave of Formbook malware attacks has appeared, using weaponized ZIP archives and multiple script layers to bypass security controls.
The attacks begin with phishing emails containing ZIP files that hold VBS scripts disguised as payment confirmation documents.
These scripts trigger a chain of events that downloads and installs the malware on victim systems. The multi-stage approach makes detection harder for both security tools and analysts.
The attack starts when victims receive emails with attached ZIP archives. Inside these archives sits a VBS file with names like “Payment_confirmation_copy_30K__20251211093749.vbs” that looks like a business document.
When opened, this VBS script starts a carefully planned infection process. The malware uses multiple scripting languages, including VBS, PowerShell, and eventually executable files, to reach its final goal of installing Formbook on the target machine.
Internet Storm Center security researchers identified this campaign and found that only 17 out of 65 antivirus programs detected the initial VBS file.
The low detection rate shows how effective the obfuscation techniques are. The malware writers designed each stage to avoid common security checks and make analysis more difficult for security teams.
Multi-Stage Infection Mechanism
The VBS script uses several tricks to hide its true purpose. First, it creates a delay loop that waits 9 seconds before doing anything harmful.
This simple trick helps avoid detection by sandbox systems that look for immediate suspicious actions:-
Dim Hump
Hump = DateAdd(“s”, 9, Now())
Do Until (Now() > Hump)
Wscript.Sleep 100
Frozen = Frozen + 1
Loop
The script then builds a PowerShell command by joining many small text pieces together. The word “PowerShell” itself is hidden using number codes instead of plain text. After creating the PowerShell script, the VBS file runs it using a Shell.Application object.
This PowerShell script downloads another payload from Google Drive and saves it to the user’s AppData folder. The final step launches msiexec.exe and injects the Formbook malware into it.
The malware then connects to its command server at 216.250.252.227 on port 7719 to receive instructions.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Formbook Malware Delivered Using Weaponized Zip Files and Multiple Scripts appeared first on Cyber Security News.
