FormBook, the commercially available malware service, is back in action. This infostealer has been available as a service in underground forums since 2016, and the latest variant is equipped with new obfuscation capabilities. 

What has been discovered?

Researchers from FortiGuard Labs have disclosed a new phishing campaign targeting the personal information of its targets while distributing the new variant of Formbook.
  • The campaign is designed to hack into the target system and steal data from commonly used browsers, IM, email clients, and FTP clients, via keyloggers and form grabbers.
  • The campaign consists of a phishing email with a malicious PowerPoint document attached that can spread the malware.
  • The phishing email appears to be a reply to an old purchase order and lures victims into viewing a video with details of brochures and prices. 
  • The malicious VBA code checks for two actions: Mouse Click and MouseOver. The procedure begins as soon as the victim moves the mouse around the slideshow or clicks it, delivering the FormBook payload.

Enhancements in FormBook

In the latest variant of FormBook, its developers have used several new techniques to make malware analysis more challenging.
  • The developers have obfuscated the complete code and encrypted all constant strings to hide them from malware analysis tools used by security researchers.
  • The names of all classes, variables, methods, and properties are randomly generated (such as x2C.g4J), providing no clues about its purpose.
  • In addition, they used an obfuscated code-flow to confuse the researchers about the exact code-flow of the malware.

Recent attack using FormBook

A recent report from TrendMicro revealed that during the pandemic, FormBook and several other malware were using vaccine-related threats to lure their victims.


The developers of FormBook are gradually equipping their malware with robust anti-analysis techniques, making it difficult for malware researchers to analyze and break it. In addition, the use of simple mouse-based triggering events makes it more efficient. These qualities make this malware a recurrent threat, demanding a closer look by security agencies.

Cyware Publisher