FormBook malware campaigns attacking Aerospace, Defense Contractor, and Manufacturing sectors within the U.S. and South Korea.
The FormBook malware is a data stealer and grabber advertised in various hacking forums and includes a variety of distribution mechanisms to deliver the malware.
The malware delivered through emails includes a variety of delivery mechanism that includes the following
- PDFs that contains download links
- DOC and XLS files with malicious macros embedded
- Using Archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads
The campaign primarily targets the U.S. and South Korea, most of the malicious activity is in the form of the PDF campaigns targeting the United States.
FormBook is capable of injecting itself into various processes that log keystrokes, steal clipboard contents, and extract data from HTTP sessions.
It is a full-fledged banking malware and doesn’t have any extensions, it includes the following capabilities
- Clipboard monitoring
- Grabbing HTTP/HTTPS/SPDY/HTTP2 forms and network requests
- Grabbing passwords from browsers and email clients
The C2 servers found to be registered with a Ukrainian hosting provider, the malware served is a self-extracting RAR which starts with an AutoIt loader.
The AutoIt loader is a script that decrypts the FormBook payload file and loads it into memory and then executes it.
Password Log Files
- Keylog data
- Chrome passwords
- Firefox passwords
- Thunderbird passwords
- Internet Explorer passwords
- Outlook passwords
- Windows Vault passwords
- Opera passwords
The PDF campaigns leveraged FedEx and DHL shipping document-sharing theme that contains the download link for FormBook payload.
The FormBook is a unique malware with its functionality or distribution mechanisms, it is easy to use and available at an affordable pricing structure.