FormBook, an information-stealing malware first identified in 2016, has resurfaced with enhanced capabilities, posing a significant threat to Windows users. This malware is adept at harvesting sensitive data, including login credentials, keystrokes, and screenshots, and can execute commands from its command-and-control (C2) servers, granting attackers substantial control over compromised systems.
Evolution and Distribution
Operating under a Malware-as-a-Service (MaaS) model, FormBook is available for purchase on underground forums, making it accessible to cybercriminals of varying skill levels. Its affordability and ease of use have contributed to its widespread adoption. Notably, in August 2021, FormBook was identified as the most prevalent malware, surpassing other significant threats. ([checkpoint.com](https://www.checkpoint.com/press-releases/august-2021s-most-wanted-malware-formbook-climbs-into-first-place/?utm_source=openai))
The primary vector for FormBook’s distribution is phishing campaigns. Attackers craft emails with malicious attachments, such as PDFs, Word documents, or compressed archives, designed to exploit vulnerabilities in Microsoft Office, notably CVE-2017-11882. Upon opening these attachments, the malware is deployed, initiating its infection process. ([fortinet.com](https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882?utm_source=openai))
Technical Capabilities and Evasion Techniques
Once executed, FormBook employs sophisticated techniques to evade detection and analysis. It injects itself into legitimate processes, such as ImagingDevices.exe, and utilizes process hollowing to conceal its presence. The malware also implements the Heaven’s Gate technique, allowing 32-bit processes to execute 64-bit code on Windows x64 systems, further complicating detection efforts. ([fortinet.com](https://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i?utm_source=openai))
To thwart analysis, FormBook loads a duplicated ntdll.dll in memory, calling APIs from this copy rather than the original, and encrypts over 100 key functions, decrypting them only during execution. It actively detects virtualized environments by checking for blacklisted process names and examining usernames and execution paths for indicators of sandbox environments. ([sentinelone.com](https://www.sentinelone.com/blog/formbook-yet-another-stealer-malware/?utm_source=openai))
Data Harvesting and Command Execution
FormBook’s primary objective is data exfiltration. It targets credentials from major web browsers, including Chrome, Firefox, Internet Explorer, and Edge, by executing SQL queries against browser databases to extract stored credentials. The malware maintains communication with multiple C2 domains, which are heavily obfuscated to evade detection. Through these servers, FormBook can execute various commands, such as downloading and executing additional files, updating or removing itself, and rebooting or shutting down the compromised system. ([checkpoint.com](https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-formbook-malware/?utm_source=openai))
Targeted Sectors and Global Impact
FormBook has been used in large-scale campaigns targeting specific industry verticals. In 2017, it was employed in attacks against the defense and aerospace industries. During the 2022 conflict between Russia and Ukraine, cyber threat actors used the malware to attack Ukrainian targets. Its versatility and effectiveness have made it a persistent threat across various sectors. ([checkpoint.com](https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-formbook-malware/?utm_source=openai))
Preventive Measures and Mitigation Strategies
To protect against FormBook infections, organizations should implement comprehensive cybersecurity measures:
– Anti-Phishing Solutions: Deploy solutions capable of identifying and blocking emails containing obfuscated malicious content to minimize malware risk.
– Content Disarm and Reconstruction (CDR): Utilize CDR solutions to sanitize infected documents by removing malicious functionality before delivering them to recipients.
– Endpoint Detection and Response (EDR): Install EDR solutions to detect and respond to malware infections on endpoints effectively.
– Multi-Factor Authentication (MFA): Implement MFA to make it more challenging for attackers to exploit stolen credentials.
– Zero Trust Security Model: Adopt zero trust principles to limit access and permissions, reducing the impact of potential account takeovers.
– Employee Cyber Awareness Training: Educate employees to recognize and appropriately respond to phishing attempts and other social engineering tactics.
Conclusion
FormBook’s resurgence underscores the evolving nature of cyber threats and the importance of robust cybersecurity practices. By understanding its distribution methods, technical capabilities, and implementing proactive defense strategies, organizations can better protect themselves against this persistent malware.
