|Type of Malware||Infostealer and form grabber|
|Date of Initial Activity||2016|
|Motivation||Harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes and can download and execute files according to orders from its C&C|
|Attack Vectors||Phishing emails, PDFs with download links, DOC and XLS files with malicious macros, Archive files (ZIP, RAR, ACE, and ISOs) containing EXE payload|
|Targeted System||Windows OS|
|Associated Groups||Many threat actors (MaaS)|
FormBook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price.
FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C. Currently, it is assumed that XLoader malware is the successor of Formbook.
Manufacturing, Defense and Aerospace, and oil and gas companies. Ukrainian targets (2022).
Tools/ Techniques Used
The malware injects itself into various processes and installs function hooks to log keystrokes, steal clipboard contents, and extract data from HTTP sessions. The malware can also execute commands from a command and control (C2) server. The commands include instructing the malware to download and execute files, start processes, shutdown and reboot the system, and steal cookies and local passwords.
One of the malware’s most interesting features is that it reads Windows’ ntdll.dll module from disk into memory, and calls its exported functions directly, rendering user-mode hooking and API monitoring mechanisms ineffective. The malware author calls this technique “Lagos Island method” (allegedly originating from a userland rootkit with this name). It also features a persistence method that randomly changes the path, filename, file extension, and the registry key used for persistence.
Impact / Significant Attacks
According to Check Point’s 2022 Cybersecurity Report, FormBook was the third most prolific malware in 2021, attacking 5% of corporate networks. It was also the most prolific infostealer malware, accounting for 16% of attacks worldwide.