FormBook malware advertises an ‘extensive and powerful internet monitoring experience’ for a relatively low-cost – allowing even low level attackers to distribute stealthy malware.
Hackers have launched a string of campaigns against defence, aerospace and manufacturing contractors in the US and South Korea in an effort to install data-stealing malware.
The campaigns have used a data stealing software package being sold online at relatively low-cost — prices range from $29 a week to a $299 full-package ‘pro’ deal. The FormBook malware provides users with a range of espionage capabilities, including key logging, taking screenshots, clipboard monitoring grabbing passwords from web pages and emails.
In an underground advertisement which makes it look more like legitimate software than a criminal tool, its authors describe FormBook as ‘advance[d] internet activity logging software’ which is designed ‘to give you extensive and powerful internet monitoring experience’.
It’s also capable of following remote commands such as updating the bot on the remote system, downloading and executing additional files – the malware has been seen downloading an additional Nanocore Trojan payload – as well as rebooting or shutting down systems.
Several FormBook campaigns have been uncovered by researchers at FireEye – while each campaign users email as the primary attack vector, the malicious attachment can come in the form of PDFs, Office Documents, ZIP, RAR, ACE or ICO attachments, as well as shortened URLs.
Each campaign uses slightly different distribution methods, with aerospace, defence and manufacturing the industries most targeted – although attacks also targeted education, energy, government, financial services and more. Attacks weren’t specially targeted in any way, with generic messages covering common subjects distributed to potential victims.
An overwhelming majority of attacks targeted institutions in the US, with malicious emails being spread throughout July and August.
One FormBook campaign saw the malware distributed in emails purporting to be from DHL, claiming the target had a package to pick up. The email instructed them to download and print and attachment via a link in PDF which if clicked, installed the malicious payload. Hundreds of these emails were sent to targets around the world.
A second campaign attempted to deliver the malware via emails claiming to be invoices, orders or contracts, each containing a Word or Excel document with a malicious macro hidden within, which would drop the FormBook payload when executed.
Meanwhile, a third campaign attempts to distribute FormBook via archive files like ZIP and RAR – and accounts for the highest volume of messages sent. These phishing emails attempted to leverage business relegated subjects and messages -such as fake inquiries, payment confirmations and orders – in order to manipulate the target into opening the malicious file.
This particular arm of the FormBook campaign is different to the others in that it mostly targeted the manufacturing industry and South Korea – although the US was also significantly targeted.
Researchers note that while the capabilities of FormBook aren’t unique – it’s one of many varieties of data-stealing malware – its affordable pricing and open availability opens the door to even low-level cyber criminals deploying sophisticated, stealthy espionage campaigns.
“Because the malware is sold on an open web marketplace and its turn-key and affordable pricing structure – we assess that FormBook is likely geared towards low to mid-range skill level actors,” Randi Eitzman, Threat Pursuit Analyst at FireEye told ZDNet.
However, more advanced attackers could also easily leverage the malware for their own means – especially given its low-cost.
“While the malware may be openly accessible to anyone, it is an effective tool once on a vulnerable host, so the possibility of a professional group leveraging the malware cannot be completely ruled out,” Eitzman added.