Formbook (Infostealer) – Malware

Overview

FormBook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price.

FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C. Currently, it is assumed that XLoader malware is the successor of Formbook.

Targets

Manufacturing, Defense and Aerospace, and oil and gas companies. Ukrainian targets (2022).

Tools/ Techniques Used

The malware injects itself into various processes and installs function hooks to log keystrokes, steal clipboard contents, and extract data from HTTP sessions. The malware can also execute commands from a command and control (C2) server. The commands include instructing the malware to download and execute files, start processes, shutdown and reboot the system, and steal cookies and local passwords.

One of the malware’s most interesting features is that it reads Windows’ ntdll.dll module from disk into memory, and calls its exported functions directly, rendering user-mode hooking and API monitoring mechanisms ineffective. The malware author calls this technique “Lagos Island method” (allegedly originating from a userland rootkit with this name). It also features a persistence method that randomly changes the path, filename, file extension, and the registry key used for persistence.

Impact / Significant Attacks

According to Check Point’s 2022 Cybersecurity Report, FormBook was the third most prolific malware in 2021, attacking 5% of corporate networks. It was also the most prolific infostealer malware, accounting for 16% of attacks worldwide.

References

1. Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea
2. Beware of malware offering “Warm greetings from Saudi Aramco”
3. What is FormBook Malware?