Cheap, Nasty FormBook Malware Used for Data Stealing Campaign

Hackers are now using a cheap, nasty malware- the FormBook malware- to carry out a series of campaigns targeting defense, aerospace and manufacturing contractors in the US and South Korea, and intending to get away with sensitive data.

ZDNet reports– “Hackers have launched a string of campaigns against defense, aerospace and manufacturing contractors in the US and South Korea in an effort to install data-stealing malware.
The campaigns have used a data stealing software package being sold online at relatively low-cost — prices range from $29 a week to a $299 full-package ‘pro’ deal. The FormBook malware provides users with a range of espionage capabilities, including key logging, taking screenshots, clipboard monitoring grabbing passwords from web pages and emails.”

A notable thing about FormBook is that the authors of this malware sell it using an underground advertisement that describes it as a legitimate internet-activity-logging software that helps in internet monitoring.

The FormBook malware can follow remote commands and injects itself into different processes, ultimately helping the attackers execute things like keylogging, data theft from HTTPS sessions, and more. It can even be used to shutdown or reboot systems, steal local passwords, start processes, etc.

Nart Villeneuve, Randi Eitzman, Sandor Nemes and Tyler Dean, researchers at FireEye, have authored a detailed blog post explaining how FormBook works. The post says, “The malware injects itself into various processes and installs function hooks to log keystrokes, steal clipboard contents, and extract data from HTTP sessions. The malware can also execute commands from a command and control (C2) server. The commands include instructing the malware to download and execute files, start processes, shutdown and reboot the system, and steal cookies and local passwords. One of the malware’s most interesting features is that it reads Windows’ ntdll.dll module from disk into memory, and calls its exported functions directly, rendering user-mode hooking and API monitoring mechanisms ineffective. The malware author calls this technique “Lagos Island method” (allegedly originating from a userland rootkit with this name)…It also features a persistence method that randomly changes the path, filename, file extension, and the registry key used for persistence…The malware author does not sell the builder, but only sells the panel, and then generates the executable files as a service.”

The attackers mostly rely on phishing emails to carry out the campaign; the malware is also sent in the form of a PDF, office document, ZIP, RAR, shortened URLs etc. There could be emails purporting to be from DHL, claiming that the target has a package to pick up. There would be an instruction to download and print a PDF from an attachment link; one click on the link and the malware would be downloaded. There could also be emails claiming to be invoices, orders, contracts; the emails would comprise a Word or Excel document with malware hidden within. There are also attempts to distribute the malware via archive files like ZIP and RAR, using phishing emails with business related subjects like fake inquiries, payment confirmation, orders etc.

In addition to the aforementioned aerospace, defense and manufacturing contractors, the campaign also targets education, energy, government, and financial services. A majority of the attacks have been made against institutions in the US, mostly in July and August.

Researchers point out that the affordable pricing and easy availability of the FormBook malware could even make it easy for low profile cyber criminals to carry out espionage campaigns using the malware. Moreover, the data stolen in a campaign could also be used for things like identity theft, banking fraud, and extortion.