FormBook Malware Targets US Defense Contractors, Aerospace and Manufacturing Sectors

FormBook info-stealing malware has been part of two recent distribution campaigns and is being sold on the Dark Web for as little as $29 a week.

Attackers spreading new malware called FormBook are singling out aerospace firms, defense contractors and some manufacturing organizations in the United States and South Korea.

According to researchers at FireEye, FormBook was spotted in several high-volume distribution campaigns targeting the U.S. with email containing malicious PDF, DOC or XLS attachments. FormBook targets in South Korea are being pelted with email containing malicious archive files (ZIP, RAR, ACE, and ISOs) with executable payloads.

FormBook is a type of data-stealing malware used in espionage and is capable of keystroke logging, stealing clipboard contents and extracting data from HTTP sessions. Once installed, the malware can also execute commands from a command-and-control (C2) server such as instructing the malware to download more files, start processes, shutdown and reboot a system and steal cookies and local passwords, according to a FireEye report co-authored by Nart Villeneuve, Randi Eitzman, Sandor Nemes and Tyler Dean.

“One of the malware’s most interesting features is that it reads Windows’ ntdll.dll module from disk into memory, and calls its exported functions directly, rendering user-mode hooking and API monitoring mechanisms ineffective,” according to the FireEye report.

In one scenario described by FireEye, the FormBook payload is delivered via a self-extracting RAR file that when launched starts an AutoIt loader that in turn compiles and runs an AutoIt script. The script decrypts the FormBook payload file, loads it into memory, and then executes it, researchers said.

“While FormBook is not unique in either its functionality or distribution mechanisms, its relative ease of use, affordable pricing structure, and open availability make FormBook an attractive option for cyber criminals of varying skill levels,” researchers noted.

FormBook has been sold in underground hacking forums since July for $29 a week to a $299 full-package “pro” deal, researchers said. Under the malware author’s terms, customers pay for access to a panel and then the malware author generates the executable files as a service.

As for the backend infrastructure, FormBook’s C2 domains are less widespread and typically newer generic top-level domains (.site, .website, .tech, .online, and .info). “The server infrastructure is hosted on BlazingFast.io, a Ukrainian hosting provider. Each server typically has multiple FormBook panel installation locations, which could be indicative of an affiliate model,” according to FireEye.

The malware installs different function hooks depending on the process targeted. Some of the processes include iexplore.exe, firefox.exe, chrome.exe, MicrosoftEdgeCP.exe and explorer.exe. Over 32 processes are targeted. “After injecting into any of the target processes, it sets up user-mode API hooks based on the process,” FireEye said.

It also features a persistence method that randomly changes the path, filename, file extension, and the registry key used for persistence, said researchers.

FireEye detected two distinct email campaigns between Aug. 11 and Aug. 22 and additional campaign between July 18 and Aug. 17. In one PDF campaign hackers leveraged FedEx and DHL shipping and package delivery themes.

PDFs contained links to the “tny.im” URL-shortening service, which then redirected to a staging server that contained FormBook executable payloads, researchers said. Campaigns leveraging DOC and XLS attachments mostly contained malicious macros that, when enabled, initiated the download of FormBook payloads. In other instances, emails contained ZIP, RAR, ACE, and ISO attachments also contained the FormBook executable files.

“In the last few weeks, FormBook was seen downloading other malware families such as NanoCore,” researchers said. “The credentials and other data harvested by successful FormBook infections could be used for additional cybercrime activities including, but not limited to: identity theft, continued phishing operations, bank fraud and extortion.”

Suggested articles