FormBook, a new malware is widely spreading in the United States and South Korea which aims at aerospace firms, defense contractors and manufacturing sectors during the last few months.
FormBook, a new malware is widely spreading in the United States and South Korea which aims at aerospace firms, defense contractors and manufacturing sectors during the last few months.FireEye researchers spotted FormBook in several high-volume distribution campaigns targeting the U.S. with an email containing malicious PDF, DOC or XLS attachments. On the other side in South Korea, the malware targets are being attacked with emails containing malicious archive files (ZIP, RAR, ACE, and ISOs) with executable (EXE) payloads.
What is FormBook?
According to FireEye reports: FormBook is a type of malware used in espionage and is capable of keystroke logging, stealing clipboard contents and extracting data from HTTP sessions. Once installed, the malware can also execute commands from a command-and-control (C2) server such as instructing the malware to download more files, start processes, shutdown and reboot a system and steal cookies and local passwords.“One of the malware’s most interesting features is that it reads Windows’ ntdll.dll module from disk into memory, and calls its exported functions directly, rendering user-mode hooking and API monitoring mechanisms ineffective. The malware author calls this technique as Lagos Island method,” the report added.FormBook is also featured with a persistence method that randomly changes the path, filename, file extension, and the registry key used for persistence.“While FormBook is not unique in either its functionality or distribution mechanisms, its relative ease of use, affordable pricing structure, and open availability make FormBook an attractive option for cybercriminals of varying skill levels,” researchers stated.Researchers also informed that FormBook has been sold in the dark market and hacking forums since July for $29 a week to a $299 full-package “pro” deal. As per the malware author, customers pay for access to a panel and then the malware author generates the executable files as a service.FormBook is a data stealer, but not a full-fledged banker (banking malware). It does not currently have any extensions or plug-ins. Its capabilities according to FireEye reports include:
- Keylogging
- Clipboard monitoring
- Grabbing HTTP/HTTPS/SPDY/HTTP2 forms and network requests
- Grabbing passwords from browsers and email clients
- Screenshots
- iexplore.exe
- firefox.exe
- chrome.exe
- MicrosoftEdgeCP.exe
- explorer.exe.