New FormBook malware campaign steals from and spies on victims

Cybercriminals operating the FormBook malware have launched a new campaign to spy on and steal from victims. FormBook is considered to be a run-of-the-mill credential-theft malware that is readily available for purchase on the dark market. It is also comparatively cheaper than other malware variants offered for sale.

FormBook’s latest campaign was spotted by security researchers at Cisco Talos in May wherein hackers have been distributing the malware via phishing emails. Apart from credential stealing features, the malware also has keylogging abilities and can take screenshots.

The hackers operating the malware use four separate malicious documents - a combination of both PDF as well as Microsoft Word docs - in just one phishing email. The campaign leverages two Microsoft Office exploits to drop the final payload onto a targeted system.

The researchers also identified infrastructure similarities between FormBook’s latest campaign and a February 2017 campaign that saw hackers serve up the Pony malware.

“There is the potential that the same actor behind these two attacks is the same due to an overlap in the two attacks' infrastructure. If that is the case, the actor could switch between Pony and FormBook to be able to continue their malicious activities for more than a year,” Cisco Talos researchers wrote in a blog.

The phishing email sent to victims poses as an order from Spanish sales company that contains a blank malicious PDF file and a black, malicious Microsoft Office template file.

“This case shows us that malicious actors play with multiple file formats and embedded objects. In this campaign, the author used a PDF with an embedded Office document template using a vulnerability in order to download an additional Office RTF document, and then a second vulnerability and exploit in order to compromise the target,” Cisco Talos researchers said. “The attacker used an unfamiliar file-sharing platform in order to store the malicious document and a compromised WordPress site in order to store the final payload. We did notice that the file-sharing platform is reactive, removing the malicious files quickly, stopping the infection chain.”

Although this campaign and some of the techniques employed by the malware’s authors may be new, FormBook itself is by no means a recently developed malware.

According to researchers at FireEye, FormBook has been around since 2016 and has been used to target various industries in the US and South Korea.

“While FormBook is not unique in either its functionality or distribution mechanisms, its relative ease of use, affordable pricing structure, and open availability make FormBook an attractive option for cyber criminals of varying skill levels,” FireEye researcher wrote in a blog.

Since it first appeared, FormBook has been leverage by numerous cybercriminals, who in turn, have tweaked it to create new variants. Security researchers at Radware said that they identified a new and dangerous variant of FormBook in March. This indicates the malware’s continued popularity among cybercriminals and hints at the possibility that more such FormBook campaigns are likely to crop up in the future.