Weekly Executive Summary for Week October 13, 2017

What is it? Advanced internet activity logging software | Data stealer

What has it been dubbed? FormBook

What has been affected? Mainly: Aerospace, Defense Contractor, Manufacturing Sector

What does it do?

Infects victims through phishing campaigns that include malicious attachments. These campaigns were mostly targeted at Aerospace, Defense Contractor, and Manufacturing sectors in the U.S. and South Korea. PDFs had malicious download links in them and DOC and XLS files had malicious macros that were primarily targeting the United States, while Archive files  (e.g., Zip, RAR, ACE, and ISOs) contained EXE payloads and were mainly used on the United States and South Korea. The malware used in the campaigns is called FormBook and it is a data stealer that is being sold on hacking forums as Malware-as-a-Service (MaaS). The malware injects itself into various processes and installs function hooks. The malware has capabilities to log keystrokes, clipboard monitoring, grabbing HTTP/HTTPS/SPDY/HTTP2 forms and network requests, grabbing passwords from browsers and email clients, and screenshots. FormBook has the ability to receive commands from a C2 server like downloading and executing a file, updating a bot on host system, reboot infected system, collect passwords and create a screenshot, and more.

How does it do it?

The FormBook data stealer is available for purchase on hacking forums and has been since 2016. The price of service ranges from $29/week to a $299 – Pro version. A customer of FormBook is paying for access to a panel and then the malware creator will generate executable files as a service this is known as Malware-as-a-Service (MaaS).

Source: FireEye

Source: FireEye

According to researchers at FireEye, FormBook was being distributed through phishing campaigns that we’re targeting Aerospace, Defense Contractor, and Manufacturing Sectors in the United States and South Korea in the last few months. Attackers used a number of distribution mechanisms to deliver FormBook like PDFs that contained download links, DOC  and XLS files that had malicious macros, and Archive files (Zip, Rar, Ace, and ISOs) that contained EXE payloads. PDF/XLS files were mainly used to target the United States, while Archive files were used to target United States and South Korea.

Capabilities of the actual malware include:

  • Key logging
  • Clipboard monitoring
  • Grabbing HTTP/HTTPS/SPDY/HTTP2 forms and network requests
  • Grabbing passwords from browsers and email clients
  • Screenshots

Commands from the C2 server FormBook can receive:

  • Update bot on host system
  • Download and execute file
  • Remove bot from host system
  • Launch a command via ShellExecute
  • Clear browser cookies
  • Reboot system
  • Shutdown system
  • Collect passwords and create a screenshot
  • Download and unpack ZIP archive

“One of the malware’s most interesting features is that it reads Windows’ ntdll.dll module from disk into memory, and calls its exported functions directly, rendering user-mode hooking and API monitoring mechanisms ineffective.“ (FireEye)

The Command and Control serves domains have been using generic top-level domains (gTLDs) like .site, .website, .info, etc. Domains observed by FireEye have been using WhoisGuard privacy protection service and are being hosted on a Ukrainian hosting provided.

FormBook malware is a self-extracting RAR file that starts at an AutoIt loader. The malware will choose a string to use as a prefix to its installed filename. If the malware is running with elevated privileges it will copy itself to %ProgramFiles% or %CommonProgramFiles%, if it is running with normal user privileges it copies itself to %USERPROFILE%, %APPDATA%, or %TEMP%.  Depending on the infected user’s permissions again, the malware will configure persistence in one of two locations:

  • (HKCU|HKLM)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • (HKCU|HKLM)\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

One of the malicious PDF campaigns found by FireEye was a phishing email disguised as coming from DHL shipping or packaging.   

Source: FireEye

The PDFs contained links to “tny.im” which is a URL-shortening service, which would redirect victims to a staging server that contained FormBook executable downloads.


Malware-as-a-Service is no new trick in the industry and has been seen by exploit kits like Angler, Neutrino, RIG, Nuclear Pack, and much more. Threat actors will develop exploit kits or various types of malware that users can purchase as a service to exploit their targets. What is different in the case of FormBook is its targeted use and what motive the attackers may have. Espionage of sectors like Aerospace, Defense Contractors, and Manufacturing tend to come from government sponsors actors or nation-states. These types of groups normally have a good deal of resources from their government and a lot of the attack tools are custom made, so it would seem unusual for an attacker at this level to use purchased malware.

FormBook has a long list of capabilities and at a price range of $29  – $299 it is quite affordable to a mass audience. This could prove to be quite dangerous if sold as a  service and used to target essential industries. This is another reminder of how effective phishing emails and how dangerous they can be when used against certain industries. 


https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html (FireEye)

https://threatpost.com/formbook-malware-targets-us-defense-contractors-aerospace-and-manufacturing-sectors/128334/ (Threatpost)