Info-Stealing FormBook Returns in New Campaign

Written by

A file-hosting service registered within the last week is being used to spread information-stealing malware in another FormBook campaign, currently attacking retail and hospitality businesses both within and outside of the US, according to Deep Instinct.

Though FormBook has been around since approximately 2016, this newest version is being discussed and shared in underground hacking forums as a recommended service for hosting and serving malware. In a blog post, researchers wrote, “As with many information stealing and credential harvesting malware, FormBook’s infection chain starts with a phishing Email containing a malicious attachment, which is usually an Office document or a PDF file.”

The campaign uses rich text format (RTF) documents and leverages recent Word vulnerabilities as droppers, likely because these are often missed by typical security solutions, according to Deep Instinct. Once the payload is dropped and executed, it will copy itself, then proceed to scan the system for stored passwords in browsers and various other applications before sending the stolen information back.

In addition, the malware takes a screenshot of the victim’s desktop, along with monitoring all browsers for user-typed passwords, stealing those as well. It will also act as a keylogger and maintain a log of the user’s keystrokes.

“This time around, [FormBook] is using a new malware-friendly file hosting services, which seems to be quickly gaining popularity among other threat actors. We strongly suggest employing a zero-trust policy with respect to the service DropMyBin until other information becomes available,” researchers wrote.

FormBook’s low price is attractive, in particular because there’s pretty big bang for your buck, according to underground hacking forums. The malware combines sophisticated evasion capabilities with its powerful credential harvesting mechanism, making it attractive to attackers. All of the droppers and payloads discovered in the research are listed among the indicators of compromise (IoCs).

What’s hot on Infosecurity Magazine?