FormBook malware is being used in targeted attacks on the manufacturing and aerospace sectors according to researchers at FireEye, although attacks are not confined to these industries.
So far, the attacks appear to have been concentrated on organizations in the United States and South Korea, although it is highly likely that attacks will spread to other areas due to the low cost of this malware-as-a-service, the ease of using the malware, and its extensive functionality.
FormBook malware is being sold on underground forms and can be rented cheaply for as little as $29 a month. Executables can be generated using an online control panel, a process that requires next to no skill. This malware-as-a-service is therefore likely to be used by many cybercriminals.
FormBook malware is an information stealer that can log keystrokes, extract data from HTTP sessions and steal clipboard content. Via the connection to its C2 server, the malware can receive and run commands and can download files, including other malware variants. Malware variants discovered to have already been downloaded by FormBook include the NanoCore RAT.
FireEye researchers also point out that the malware can steal passwords and cookies, start and stop Windows processes, and force a reboot of an infected device.
FormBook malware is being spread via spam email campaigns using compressed file attachments (.zip, .rar), .iso and .ace files in South Korea, while the attacks in the United States have mostly involved .doc, .xls and .pdf files. Large scale spam campaigns have been conducted to spread the malware in both countries.
The U.S campaigns detected by FireEye used spam emails related to shipments sent via DHL and FedEx – a common choice for cybercriminals. The shipment labels, which the emails say must be printed in order to collect the packages, are in PDF form. Hidden in the document is a tny.im URL that directs victims to a staging server that downloads the malware. The campaigns using Office documents deliver the malware via malicious macros. The campaigns conducted in South Korea typically include the executables in the attachments.
While the manufacturing industry and aerospace/defense contractors are being targeted, attacks have been conducted on a wide range of industries, including education, services/consulting, energy and utility companies, and the financial services. All organizations, regardless of their sector, should be alert to this threat.
Organizations can protect against this new threat by adopting good cybersecurity best practices such as implementing a spam filtering solution to block malicious messages and stop files such as ISOs and ACE files from being delivered to end users. Organizations should also alert their employees to the threat of attack and provide training to help employees recognize this spam email campaign. Macros should also be disabled on all devices if they are not necessary for general work duties, and at the very least, should be set to be run manually.