Formbook, the malware family of data-stealers and form-grabbers, was seen active again, this time leveraging COVID-19 themes to attack its victims.

What happened

A spearphishing campaign was observed targeting biomedical firms, compromising financial resources, data, or intellectual property.
  • The attack used spearphishing emails, disguised with informative and colorful graphics, and appears to have arrived from the World Health Organization (WHO).
  • One target was a chemical company in the Czech Republic that produces industrial goods for small customers and large enterprises.
  • The latest email campaign saw spikes in the month of April, targeting the US victims. This latest variant was detected by only 13 of the total 71 popular anti-virus vendors.

Not the first time

This is not the first time Formbook malware has used lures related to current Coronavirus. Formbook has been using COVID-19 related lures since early 2020.
  • The first attempts were tracked around February 11 and then on February 25, when Indian victims faced its heat the most.
  • At that time also, the campaigns used spam emails, pretending to have arrived from the World Health Organization (WHO), containing zip attachment which contains "MyHealth.exe" health tracking app.
  • The emails eventually delivered Guloader and Formbook malware.

A brief history of Formbook

The current version of the Formbook info stealer is an evolved and enhanced version of a simple form grabber tool. Here is the brief history of its evolution:
  • In June 2016, the initial version of Formbook form grabber was made available for sale online, at a price of $150 per year, by someone dubbed ‘SL4ID3R’.
  • Fueled by its cheap price and the availability of a cracked builder, "FormBook" become an increasingly frequent tool used for cyber espionage campaigns by mid-2017.
  • Since then, it has been observed being used during several high-value campaigns, like Aerospace, Defense Contractor, and Manufacturing sectors within the US and South Korea in October 2017, Malspam campaign in February 2018, fake Spanish sales company spam campaign in May 2018, Microsoft Office 365 exploitation in December 2018, Phishing emails targeting retail and hospitality sectors in North-America in January 2019, and many more.

How to stay protected

The Department of Homeland Security has provided guidelines to stay protected from COVID-19 themed attack:
  • Do not blindly trust the emails asking for any personal or financial information, as this information may be used for further scams.
  • Do not trust all information posted on the Internet, and following trusted sources, like legitimate, government websites, or media agencies for legitimate information about COVID-19.

How to protect against Formloader

Internet users should follow general guidelines to stay protected from Formbook malware:
  • Avoid clicking on the links received in emails from unknown users, especially those carrying email attachments.
  • Download all applications from official sources only, using direct download links, and avoid links shared on Social network websites.

Cyware Publisher