FormBook malware: A deep dive into the Info-stealer malware’s infamous campaigns

• FormBook malware’s capabilities include stealing credentials, capturing screenshots of victim’s desktop, monitoring clipboard, keystroke logging, clearing browser cookies, downloading and executing files, and more.
• The latest FormBook campaign used a malware-friendly file hosting service for distributing the info-stealer malware.

FormBook is an information-stealer malware that has been active since 2016. The malware was sold as a PHP control panel on an underground hacking forum since mid-July 2017. The panel allows the user to customize the malware’s settings and features as well as generate a sample of the malware.

The info-stealer malware’s capabilities include stealing credentials, capturing screenshots of victim’s desktop, monitoring clipboard, keystroke logging, clearing browser cookies, downloading and executing files, uploading and removing bots, launching commands via ShellExecute, downloading and unpacking ZIP archive, rebooting and shutting down the system.

FormBook campaign targeting Aerospace, Defense, and Manufacturing industries

In October 2017, researchers spotted a several high-volume ‘FormBook campaign’ primarily targeting aerospace, defense, and manufacturing sectors in the US and South Korea. The campaign also targeted education, energy, financial institutions, government agencies, and more.

The attackers behind these email campaigns used a variety of distribution techniques to deliver the FormBook info-stealer, including PDFs, Office Documents, ZIP, RAR, ACE or ICO attachments, as well as shortened URLs.

• One FormBook phishing email campaign distributed the malware via emails pretending to be from DHL, claiming the target had a package to pick up. The email contained a malicious PDF attachment, which installed the malicious payload when downloaded.
• The second phishing email campaign distributed the malware via emails claiming to be invoices, orders or contracts etc. These emails contained a Word or Excel document with a malicious macro hidden within, which dropped the FormBook payload when executed.
• The third campaign distributed the FormBook via archive files like ZIP and RAR. These phishing emails claiming to be fake inquiries, payment confirmations, and orders tricked users into opening the malicious file. This campaign accounts for the highest volume of messages sent.

FormBook campaign spying on victims

In May 2018, researchers observed a phishing email campaign that distributed the FormBook info-stealer malware. These phishing emails claimed to be an order from a Spanish sales company contained a blank malicious PDF file and a blank malicious Microsoft Office template file.

The attacker behind this campaign mixed different file formats (PDF and Microsoft Office document) and used two public Microsoft Office exploits (CVE-2017-0199 and CVE-2017-11882) in order to drop the final payload on the targeted system. FormBook malware which was distributed via this campaign was capable of spying on victims and stealing from them.

Multi-stage document attack dropped the FormBook payload

A multi-stage document attack exploited design behaviors in .docx and RTF, along with CVE-2017-8570, to drop a malicious payload ‘Formbook’on target systems.

The first stage of this attack was a phishing email with a malicious .docx file attachment. The file did not have any macros, nor did it use any exploits, and embedded in its frame section was the URL. Once the attachment was opened, Word makes an HTTP request to download the remote object the URL is pointing to, which in this case redirected to another URL that further redirected to a malicious RTF file. The RTF file contained an embedded script and another exploit.

The second stage of this attack exploited both a design behavior in RTF documents and the CVE-2017-8570 vulnerability. When an RTF document with an embedded objected is opened, the object is automatically dropped into the %TEMP% directory of Windows. CVE-2017-8750 executed the object to complete the attack by dropping the Formbook malware.

FormBook campaign distributed via malware-friendly hosting service

In the latest FormBook campaign, the malware was distributed via a new malware-friendly hosting service named DropMyBin. The campaign targeted the retail and hospitality industries both within and outside the US.

In this campaign, a rich text format (RTF) document was used to leverage recent Word vulnerabilities as droppers, likely because it is difficult for typical security solutions to detect. The initial malware infection was carried out by means of a malicious RTF document, which exploited several vulnerabilities in Microsoft Office (CVE-2012-0158 – Office ActiveX Vulnerability, CVE-2017-11882 – the popular Equation Editor Vulnerability).