The attack begins with a seemingly innocuous RAR archive attachment delivered through phishing emails. Victims receive the archive containing cbmjlzan.JS, a 10MB JavaScript file that appears legitimate due to its inclusion of the AsmDB project library code. This size bloating technique serves a dual purpose: it helps evade automated security scanners that often skip large files and creates the appearance of legitimate development code. (Source: Isc)

Once executed, the obfuscated JavaScript leverages Windows-native capabilities through ActiveXObject, Microsoft.XMLDOM, and ADODB.Stream - all standard Windows components that security tools typically trust. The script immediately establishes persistence by copying itself to C:\Users\Public\Libraries\ and creating a scheduled task that runs every 15 minutes. This ensures the malware survives system reboots and maintains continuous operation even if the original file is discovered and removed.

The JavaScript then drops three files disguised as PNG images - Brio.png, Orio.png, and Xrio.png - into the Public folder. Despite their image extensions, these files contain AES-encrypted payloads that form the next stage of the attack chain. This masquerading technique bypasses file-type restrictions and content filters that would normally block executable code.

MSBuild.exe becomes the primary vehicle for malware execution, representing a sophisticated abuse of living-off-the-land binaries (LOLBins). MSBuild is Microsoft's build platform for .NET applications, present on virtually every Windows system with the .NET Framework installed. Security teams rarely monitor or restrict MSBuild because it's essential for legitimate software development and compilation tasks. The malware exploits this trust by injecting a malicious .NET DLL directly into MSBuild's process space, effectively hiding malicious activity within a trusted Microsoft binary.

The PowerShell component executes with specific flags (-Noexit -nop) to maintain persistence and bypass execution policies. It implements advanced evasion by patching two critical Windows security functions: EtwEventWrite() and AmsiScanBuffer(). These patches blind Windows Event Tracing and the Antimalware Scan Interface respectively, preventing the system from logging suspicious behavior or scanning the malicious code in memory. Your endpoint detection tools become effectively blind to subsequent malicious activities.

The multi-stage decryption process unfolds systematically. First, Xrio.png yields PowerShell code that performs the security patches. Next, Orio.png decrypts to reveal a .NET DLL that serves as the loader. Finally, Brio.png contains the ultimate payload - Formbook, a sophisticated information stealer.

Once Formbook activates within the MSBuild process, it gains access to your organization's sensitive data while appearing as legitimate build activity. The malware can harvest stored passwords from browsers and email clients, capture keystrokes including login credentials, take screenshots of sensitive documents, and exfiltrate files matching specific patterns. All this occurs through a trusted Windows process, making network traffic appear as normal development activity. The scheduled task ensures Formbook restarts every 15 minutes if terminated, maintaining persistent access to your systems and continuous data theft capabilities.

Business Impact: What Formbook Does After Infection

Once Formbook establishes itself within an organization's infrastructure, it transforms from a simple malware infection into a sophisticated intelligence-gathering operation. The malware's primary function centers on harvesting credentials from browsers, email clients, and password managers - essentially creating a master key to your organization's digital assets.

The business consequences extend far beyond stolen passwords. When Formbook captures email credentials, attackers gain the ability to conduct Business Email Compromise (BEC) attacks from legitimate accounts. These attacks have cost organizations billions annually, with individual incidents ranging from unauthorized wire transfers of $50,000 to multi-million dollar supply chain frauds. Your compromised email becomes the launching pad for attacks against partners, vendors, and customers.

Financial services and manufacturing sectors face particularly severe exposure. Formbook's keylogging capabilities capture every keystroke entered into banking applications, ERP systems, and industrial control interfaces. This means transaction details, account numbers, production schedules, and proprietary formulas flow directly to attackers. The malware also screenshots active windows at regular intervals, providing visual confirmation of sensitive operations and bypassing copy-paste restrictions on confidential documents.

The credential theft enables lateral movement throughout corporate networks. Attackers use harvested VPN credentials to maintain persistent remote access, often selling this access on criminal forums. These "access brokers" typically charge $500 to $10,000 per compromised network, depending on the organization's size and industry. Ransomware operators frequently purchase these accesses, explaining why many ransomware incidents begin weeks or months after the initial Formbook infection.

Formbook's data exfiltration operates continuously in the background, transmitting captured information to command-and-control servers. The malware targets specific file types including PDFs, Office documents, and database files. Organizations typically discover the breach only after sensitive documents appear on leak sites or when customers report fraudulent activities. The average dwell time - the period between initial infection and detection - spans 21 to 28 days for organizations without advanced threat hunting capabilities.

The malware's clipboard monitoring feature poses unique risks for cryptocurrency operations and financial transactions. Every copied wallet address, transaction ID, or payment instruction gets logged and transmitted. Attackers can modify clipboard contents in real-time, redirecting payments to their own accounts while victims believe they're sending funds to legitimate recipients.

Beyond immediate financial losses, Formbook infections trigger compliance violations under GDPR, CCPA, and industry-specific regulations. Organizations face mandatory breach notifications, regulatory investigations, and potential fines when customer data gets compromised. The reputational damage often exceeds the direct financial impact, with customer trust erosion leading to contract cancellations and competitive disadvantages lasting years beyond the initial incident.

The malware's persistence mechanisms ensure it survives standard remediation attempts. Even after removing the initial infection, stolen credentials remain valid until manually reset across all systems. This creates a ticking time bomb scenario where attackers retain access long after organizations believe they've resolved the incident, enabling them to return at will or sell the access to other criminal groups.

Detection: Finding Formbook Before It Exfiltrates Data

Security teams hunting for Formbook infections should immediately examine their environments for three distinctive patterns that reveal this malware's presence before data exfiltration begins. The JavaScript dropper creates predictable artifacts that standard endpoint detection tools often miss due to the malware's use of legitimate Windows components.

Start your hunt today by searching for PNG files in C:\Users\Public\ that aren't actually images. The malware drops Brio.png, Orio.png, and Xrio.png in this location - these files contain AES-encrypted payloads rather than image data. Your EDR solution should flag any process attempting to read these specific filenames as base64 strings or passing them to cryptographic functions.

The most urgent detection opportunity occurs when MSBuild.exe exhibits abnormal behavior. Configure your SIEM to alert immediately when MSBuild.exe spawns with these characteristics:

• Execution without corresponding Visual Studio activity or build pipeline triggers
• Command-line arguments referencing file:///C:/Users/Public/ paths
• Parent process is PowerShell or WScript rather than devenv.exe or build agents
• Network connections to non-Microsoft domains within 60 seconds of launch

PowerShell commands containing specific base64 decoding patterns provide another critical detection point. Search your PowerShell logs for scripts that combine [Text.Encoding]::Unicode.GetString with [Convert]::FromBase64String - legitimate administrative scripts rarely use this exact combination. The malware's PowerShell component also references [System.Security.Cryptography.Aes]::Create() alongside file operations in the Public folder.

Your Windows Script Host monitoring should trigger on JavaScript files exceeding 5MB that contain ActiveXObject calls. The 10MB size of cbmjlzan.JS serves as an evasion technique, but this unusual size becomes a detection advantage. Query your endpoint logs for:

• WScript.exe or CScript.exe processing files larger than 5MB
• JavaScript files creating scheduled tasks with 15-minute intervals
• Scripts accessing both Microsoft.XMLDOM and ADODB.Stream objects
• File copy operations from user directories to C:\Users\Public\Libraries\

Memory analysis reveals the malware's anti-analysis techniques before payload execution. Hunt for processes that patch EtwEventWrite() and AmsiScanBuffer() functions - legitimate software rarely modifies these Windows security components. Your EDR should detect memory modifications to these specific API functions, particularly when followed by .NET assembly loading.

For immediate network-based detection, monitor DNS queries and HTTPS connections initiated by MSBuild.exe, especially to domains registered within the past 90 days. While the analyzed sample doesn't reveal specific C2 infrastructure, Formbook variants typically beacon to dynamically generated domains after successful infection.

Deploy these Sigma rules to your SIEM within the next 24 hours, prioritizing environments with exposed email servers or recent phishing campaigns. Organizations without EDR capabilities should at minimum enable PowerShell script block logging and review scheduled tasks created with 15-minute execution intervals - this simple check could reveal infections your antivirus missed.

Immediate Response and Containment Steps

When a system shows signs of Formbook infection, your response speed determines whether attackers exfiltrate gigabytes of data or get stopped at initial compromise. The malware's scheduled task executes every 15 minutes, creating a narrow window for containment before credential harvesting begins.

Immediate Actions (0-4 hours): Stop Active Exfiltration

Disconnect affected machines from the network immediately - pull the ethernet cable or disable WiFi, but keep systems powered on to preserve volatile memory. The scheduled task schtasks /query /tn * will reveal entries matching the original JavaScript filename pattern. Document these task names before deletion as they provide attribution clues.

Reset credentials for all users who logged into compromised systems within the past 72 hours. The malware's credential harvesting capabilities mean any authentication performed on infected machines should be considered compromised. This includes domain accounts, cloud services, and VPN credentials - Formbook captures keystrokes and form submissions regardless of the application.

Check for lateral movement by examining Windows Security Event ID 4624 (successful logon) and 4672 (special privileges assigned). Run Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624,4672} | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-24)} to identify unusual authentication patterns. Pay special attention to Type 3 (network) and Type 10 (RemoteInteractive) logons originating from infected machines.

Short-Term Response (24-48 hours): Hunt for Hidden Infections

Deploy PowerShell hunting scripts across your environment to identify systems with suspicious PNG files in public directories. The command Get-ChildItem -Path "C:\Users\Public\" -Filter "*.png" | ForEach-Object {$bytes = [System.IO.File]::ReadAllBytes($_.FullName); if([System.Text.Encoding]::ASCII.GetString($bytes[0..7]) -notmatch "PNG") {$_.FullName}} will flag fake image files containing encrypted payloads.

Review email gateway logs for RAR attachments received in the past 30 days, particularly those containing JavaScript files. Export message tracking logs and search for attachment names ending in .JS, .JSE, or .WSF extensions. Cross-reference sender addresses with known business contacts - Formbook campaigns often spoof legitimate vendors or partners.

Audit PowerShell and Windows Script Host execution using Event ID 4104 (script block logging) and 4688 (process creation). Enable enhanced PowerShell logging if not already configured: Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1. Look for base64-encoded commands, especially those referencing MSBuild.exe or containing AES decryption routines.

Long-Term Hardening (7-30 days): Prevent Re-infection

Block MSBuild.exe execution for standard users through AppLocker or Windows Defender Application Control. Create a rule denying %WINDIR%\Microsoft.NET\Framework*\MSBuild.exe unless the user belongs to a specific developer group. Most business users never legitimately execute MSBuild, making this restriction highly effective against similar injection techniques.

Disable Windows Script Host entirely if your organization doesn't require it. Deploy the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled set to 0 via Group Policy. This prevents JavaScript execution through WScript.exe and CScript.exe, eliminating an entire attack vector.

Configure email gateways to quarantine JavaScript attachments regardless of archive format. Modern business workflows rarely require direct JavaScript file transfers - legitimate code sharing happens through version control systems or development platforms, not email attachments.

Preventing Formbook: Layered Controls That Work

Organizations seeking to prevent Formbook infections face a fundamental challenge: the malware weaponizes legitimate Windows components that many businesses rely on daily. The attack chain reveals five specific control points where defenders can disrupt execution without requiring expensive security tools or complex configurations.

Block JavaScript Execution from User-Accessible Locations represents your highest-impact control with minimal business disruption. Configure Windows file type associations to open .js files in Notepad rather than Windows Script Host by modifying HKEY_CLASSES_ROOT\.js registry settings. This simple change prevents the initial cbmjlzan.JS dropper from executing while still allowing developers to view and edit scripts.

Email gateway administrators should implement content filtering rules that quarantine RAR archives containing JavaScript files. The 10MB size of the dropper suggests attackers deliberately bloat files to bypass size-based scanning limits - configure your gateway to decompress and inspect archives regardless of size.

Restrict MSBuild.exe Through Application Control delivers significant protection but requires careful planning for development teams. MSBuild serves as the perfect process injection target because security tools trust it as a legitimate Microsoft binary. Non-developer workstations have no business reason to execute MSBuild.

Deploy AppLocker rules or Windows Defender Application Control policies that block C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe for standard users. Create exceptions only for specific developer accounts or machines. This control directly prevents the malware's .NET DLL injection technique while preserving functionality for authorized development work.

Disable Windows Script Host for Non-Administrative Users through Group Policy provides broad protection against script-based attacks. Set Computer Configuration\Administrative Templates\Windows Components\Windows Script Host\ to "Disabled" for standard user OUs. The trade-off: legitimate automation scripts and some software installers will fail. Maintain a separate OU for users requiring scripting capabilities, with enhanced monitoring on these accounts.

PowerShell Constrained Language Mode offers a middle ground between functionality and security. The Formbook dropper relies on reflection and .NET method invocation - both blocked in Constrained Language Mode. Enable this through __PSLockdownPolicy environment variable or via AppLocker rules. Users can still run basic PowerShell commands while complex malware operations fail.

Monitor Public Folders for Suspicious PNG Files provides early warning without blocking legitimate activity. Configure file integrity monitoring on C:\Users\Public\ to alert on creation of files with image extensions that lack valid image headers. The Brio.png, Orio.png, and Xrio.png files contain base64-encoded data rather than image content - a pattern easily detected through header analysis.

User awareness training should emphasize three specific behaviors: questioning why any email attachment requires JavaScript execution, recognizing that legitimate documents never arrive as .JS files in archives, and understanding that Windows will warn before running scripts from untrusted sources unless the warnings have been clicked through carelessly.

Implementation priority depends on your environment. Organizations without developers should immediately disable MSBuild and Windows Script Host - a two-hour project that eliminates multiple attack vectors. Development shops should focus on email gateway controls and file association changes first, then segment developer systems into monitored zones with enhanced logging.

Why Formbook Succeeds: The MSBuild Loophole

The genius of using MSBuild for malware execution lies not in sophisticated zero-days or complex exploits, but in understanding how enterprise security teams think. MSBuild.exe exists on every Windows system with .NET Framework installed - a Microsoft-signed binary that compiles and builds applications. Security teams trust it implicitly because developers need it, CI/CD pipelines depend on it, and blocking it would break legitimate business processes.

From an attacker's perspective, MSBuild represents the perfect delivery vehicle. The binary accepts XML project files that can contain inline C# code through Task elements. When MSBuild processes these files, it compiles and executes the embedded code in memory without dropping additional executables to disk. This in-memory execution bypasses traditional antivirus scanning that focuses on file-based threats.

The PowerShell script in this attack demonstrates why criminals choose MSBuild over more obvious execution methods. Rather than directly running the extracted .NET DLL - which would trigger behavioral detection - the malware passes it through MSBuild with carefully crafted parameters: file:///C:/Users/Public/Brio.png as the project file location. This file URI scheme tells MSBuild to load what appears to be a local project file, though the actual payload hides within the encrypted PNG container.

Security products struggle with MSBuild abuse because distinguishing malicious from legitimate use requires deep context that most tools lack. A developer building a project looks identical to malware compiling a payload - both invoke MSBuild.exe with XML input and produce compiled code. Endpoint detection systems see a trusted Microsoft binary performing its documented function. Application control solutions whitelist MSBuild by default because blocking it cripples software development workflows.

The living-off-the-land philosophy extends beyond just using legitimate tools - it exploits the trust relationships within Windows itself. MSBuild inherits the permissions of the user running it, meaning no privilege escalation triggers fire. It communicates through standard .NET channels that firewalls permit for application functionality. Even advanced EDR solutions that monitor process creation trees see MSBuild spawning from PowerShell as potentially legitimate automation.

This attack chain reveals why traditional "block PowerShell" advice fails in practice. Attackers simply pivot to alternative execution methods. If organizations disable PowerShell, criminals use MSBuild directly. Block MSBuild, they switch to rundll32 or regsvr32. Each legitimate Windows binary offers unique capabilities for code execution, and attackers maintain extensive playbooks documenting which tools bypass which security products.

The encrypted PNG files demonstrate another trust exploitation - security tools rarely inspect image files deeply. The malware leverages this blind spot by storing AES-encrypted payloads with .png extensions. File-type verification checks see the extension and move on. Deep content inspection would reveal these aren't valid PNG structures, but such inspection remains computationally expensive at scale.

Understanding why attackers choose MSBuild illuminates a fundamental security challenge: the tools that enable productivity also enable compromise. Every legitimate administrative capability becomes a potential attack vector when wielded by criminals who study defensive assumptions and exploit the gaps between security policy and operational reality.