FormBook, a new malware is widely spreading in the United States and South Korea which aims at aerospace firms, defense contractors and manufacturing sectors during the last few months.
FireEye researchers spotted FormBook in several high-volume distribution campaigns targeting the U.S. with an email containing malicious PDF, DOC or XLS attachments. On the other side in South Korea, the malware targets are being attacked with emails containing malicious archive files (ZIP, RAR, ACE, and ISOs) with executable (EXE) payloads.
What is FormBook?
According to FireEye reports: FormBook is a type of malware used in espionage and is capable of keystroke logging, stealing clipboard contents and extracting data from HTTP sessions. Once installed, the malware can also execute commands from a command-and-control (C2) server such as instructing the malware to download more files, start processes, shutdown and reboot a system and steal cookies and local passwords.
“One of the malware’s most interesting features is that it reads Windows’ ntdll.dll module from disk into memory, and calls its exported functions directly, rendering user-mode hooking and API monitoring mechanisms ineffective. The malware author calls this technique as Lagos Island method,” the report added.
FormBook is also featured with a persistence method that randomly changes the path, filename, file extension, and the registry key used for persistence.
“While FormBook is not unique in either its functionality or distribution mechanisms, its relative ease of use, affordable pricing structure, and open availability make FormBook an attractive option for cybercriminals of varying skill levels,” researchers stated.
Researchers also informed that FormBook has been sold in the dark market and hacking forums since July for $29 a week to a $299 full-package “pro” deal. As per the malware author, customers pay for access to a panel and then the malware author generates the executable files as a service.
FormBook is a data stealer, but not a full-fledged banker (banking malware). It does not currently have any extensions or plug-ins. Its capabilities according to FireEye reports include:
- Clipboard monitoring
- Grabbing HTTP/HTTPS/SPDY/HTTP2 forms and network requests
- Grabbing passwords from browsers and email clients
FormBook’s C2 domains are less widespread and typically newer generic top-level domains .site, .website, .tech, .online, and .info. “The server infrastructure is hosted on BlazingFast.io, a Ukrainian hosting provider. Each server typically has multiple FormBook panel installation locations, which could be indicative of an affiliate model,” FireEye report states.
“The malware is a self-extracting RAR file that starts an AutoIt loader. The AutoIt loader compiles and runs an AutoIt script. The script decrypts the FormBook payload file, loads it into memory, and then executes it,” the report added.
FormBook also installs different function hooks depending on the process targeted. Some of them include
Over 32 processes are targeted. “After injecting into any of the target processes, it sets up user-mode API hooks based on the process,” FireEye reported.
“In the last few weeks, FormBook was seen downloading other malware families such as NanoCore,” researchers said. “The credentials and other data harvested by successful FormBook infections could be used for additional cybercrime activities including, but not limited to: identity theft, continued phishing operations, bank fraud, and extortion.”
FireEye finally concluded the report on FormBook as below:
“While FormBook is not unique in either its functionality or distribution mechanisms, its relative ease of use, affordable pricing structure, and open availability make FormBook an attractive option for cybercriminals of varying skill levels. In the last few weeks, FormBook was also seen downloading other malware families such as NanoCore. The credentials and other data harvested by successful FormBook infections could be used for additional cybercrime activities including, but not limited to: identity theft, continued phishing operations, bank fraud, and extortion.”
You may be interested in reading: New Banking Malware Steals Money using legitimate VMware binary!