Formbook

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Type
Stealer
Origin
Unknown
First seen
1 January, 2016
Last seen
21 May, 2022
Global rank
5
Week rank
2
Month rank
5
IOCs
396180

What is FormBook malware?

FormBook stealer is an infostealer‍ trojan available as a malware-as-service. This malware is often used by attackers with low technical literacy and little programming knowledge. FormBook can be used to steal various information from infected machines.

Despite how easy it is to set up and use, the malware has advanced stealing and evasion functions including the ability to pull stored and recorded user input. In addition, the FormBook stealer is capable of searching for, viewing, and interacting with files, and taking screenshots. Even though the stealing capability of this virus can be considered somewhat average, its ease of operation, the injection schema, and a set of effective measures that the malware takes to avoid detection by antivirus software made FormBook a popular virus in the hacker community and, unfortunately, its popularity is only continuing to rise in 2019.

General description of the FormBook stealer

Written in C and x86 assembly language, FormBook is sold as a PHP control panel and can be purchased on highly accessible online forums for merely 30 dollars.

Uniquely, unlike the majority of existing viruses that exploit the latest vulnerabilities or zero-days, FormBook can inject into processes and set up function hooks utilizing already known issues. Hence the claim made by the makers, that the virus will work flawlessly regardless of the Windows version.

Together with its stealer functionality and evasion techniques, the virus knows how to execute instructions from a control server that includes starting new processes, their injection, and rebooting the victim’s PC. What’s more, the virus is able to record Windows’ ntdll.dll module into memory and call it directly, which makes API monitoring and user-mode hooking almost insufficient.

FormBook malware analysis

A video simulation recorded on the ANY.RUN interactive malware analysis service allows us to take an in-depth look at the behavior of this clever virus and other malware such as Dridex and Lokibot with their elaborate anti-evasion techniques.

formbook execution process graph

Figure 1: Processes created by FormBook during execution as shown by ANY.RUN simulation

  • As shown by the ANY.RUN simulation, firstly the virus established connection to the CnC server;
  • After this, a malicious executable file, in this analysis's case pretending to be a .png is being dropped or overwritten and executed;
  • Then, FormBook proceeds to steal the personal data and change the autorun value in the registry. Also, the virus loads DLL from Mozilla Firefox creates files in the user directory, and starts CMD.EXE to set up persistence and later begin process injection;
  • Finally, injected Firefox.exe is executed for logging keystrokes, stealing clipboard data, and extracting authentication information from browser HTTP sessions.

Distribution of the FormBook stealer

According to FormBook analysis, malware is usually distributed via email campaigns that utilized a wide array of infecting mechanisms and can contain a number of various file attachments. Among the most commonly observed attachments are either PDFs, DOC or EXE, or ZIP, RAR, ACE, and ISO files.

Campaigns in which the virus is distributed through files with PDF extensions are known to utilize shipping-related themes and usually include a download link that points at the malicious code instead of the actual virus. DOC and EXE campaigns utilize macros to install and run the virus. Often, the virus is retrieved as a .PDF file in such a case. Finally, archive campaigns are considered to be the most common attack vector for this virus and usually revolve around a business-related theme, such as a payment order. In the case of this attack vector, attachments either contain a link to the FormBook stealer EXE file or install and run the virus on victims' PCs directly.

In 2020 Formbook has become quite popular as it used Covid-themed emails for decoys with subject headings such as “Government Response to Coronavirus Covid-19”.

FormBook execution process

Sandbox simulation performed on the ANY.RUN interactive malware hunting service allows us to detect and investigate the behavior of FormBook in a lot of detail.

text report of the formbook malware analysis

Figure 2: A text report generated by ANY.RUN

After downloading the malicious file the only thing needed to start the contamination is for the file to be opened. In a case when Microsoft Office file (doc, xls, rtf) is used as an infection source, after it is opened the malware exploits the CVE-2017-11882 vulnerability, thus Microsoft Office Equation Editor proceeds to download a malicious executable file and run it.

After infecting the victim's PC, the virus copies and renames itself into a directory that differs based on the privileges of the user. If an admin account is used, the virus installs itself in either %ProgramFiles% or %CommonProgramFiles%. On the other hand, if the privileges are not elevated, then the virus will copy itself into %TEMP% or %APPDATA.

Also, Formbook trojan changes the autorun value in the registry depending on is it was running with normal or elevated privileges. Next, the malware copies itself into a directory it proceeds to check if it’s being run on a virtual machine or analyzed, evaluating the best anti-evasion option that can be utilized in a particular situation. Meanwhile, the virus will try to evaluate the USERNAME environment variable to find out if it’s launched in simulation, while also checking for the presence of debuggers. It should be noted that the malware uses particularly clever techniques while performing an analysis, for example, all shared strings such as command server names are decoded only briefly if they are absolutely required, which makes FormBook highly elusive. In the next step, the virus uses the same injection method to an active explorer.exe process which is only employed as a non-permanent staging ground.

The virus occasionally performs injections into web browser processes and explorer.exe. After injecting into the process, the virus chooses a random application from a static list. Then, the virus proceeds to run the chosen application in suspended mode and copy itself in the address space of the suspended process, thus mimicking a genuine Microsoft process. Next, the virus exits the original process which leaves FormBook's dead code in explorer.exe as a result. From this stage, new FormBook processes can inject targeted applications like web browser processes, which in the case of this particular ANY.RUN simulation is Firefox.

Depending on the objective process, the virus can establish various function hooks. Being run from inside the context of an already generated process, the virus starts to go through every currently active process, trying to identify targeted programs. As soon as a target is found, FormBook will inject itself into it and install a particular set of API hooks, that are based on the target program. The data is then saved in files in the %APPDATA% directory until it is sent to the C&C server. Pay attention to this function to detect malware.

How to avoid infection by FormBook?

The best counteraction technique is to exhibit caution when receiving emails with attachments from unknown senders. Attackers usually use social engineering to trick victims into downloading and opening infected files.

Deleting any suspicious emails from the inbox is a good way to stay safe. If the infection is already detected, a good practice is to carry out an analysis of all devices connected to the network for established CnC or potentially malicious URL connections. Once a suspicious email is received, perimeter settings can be adjusted to block all related emails in the future. Finally, if an infected file is already downloaded, the host should be quarantined until the threat is completely mitigated.

How to detect Formbook using ANY.RUN?

Formbook trojan usually injects into explorer.exe and another processes from the list, such as firefox.exe and msiexec.exe. Knowing this malware's function you can take a look at the process tree after a while during execution and easily determine either the sample is Formbook or not.

formbook execution process tree Figure 3: A tree of processes created by Formbook during its execution

Conclusion

Thanks to extreme ease of use and low cost, FormBook is gaining traction in the criminal community. Not only is the virus's functionality freely accessible for download on open hacker forums and easy to set up without any programming knowledge, but it also comes equipped with some highly advanced anti-evasion techniques, that make detecting it with anti-virus software ultra-difficult. ANY.RUN interactive malware hunting service enables to study FormBook in detail from a secure environment and implement cybersecurity measures accordingly.

IOCs

IP addresses
104.18.47.230
188.114.97.10
192.243.59.13
188.114.96.10
104.21.36.137
108.157.4.92
185.53.177.50
81.169.145.148
34.117.168.233
158.247.226.196
91.195.240.94
108.186.7.83
195.211.74.112
103.73.125.106
208.94.107.33
13.107.246.45
192.243.59.20
151.101.1.84
162.159.138.85
162.159.137.85
Hashes
9187706072f008a27c26421791f57ec33a59b44b012500b2db3eeb48136fb2da
d93f3402868c2c27234b3e96fad7e70a0931196c194388dafc3ebd8b6ac4f013
3c527de135d22c07a5d30fa7b77508aba40953749118d516b4d148aa83e4e895
f9b65212a997827be37ddd61a08af61a9b5bb33da65f75964766561450c36fa1
88133a48392aad7e165f4865ea94c81fab70ecc280c2474a0a8da47036bd1135
c64d116b675674c3276dfd1b393b779f28d9cf28fbb883cd221289bc06bc2631
979e6010742733141e395aff43999e6665a5f797d8ccb24bfc3b779c1d46fdc4
cb23cc1c057eb3dc9ece455faab4eced9536ab1b4dbb7062e3b5f77c54a61e1b
8f7996b3384fb203adf96f8f233883a01999d1401e97864f67ef72a6218a4a05
839b2c91babbf78e53e8bcc059b4170d742b880f5a9dd11e992536cc9e9dcad7
aaf4a8f36494a664b90dbbe2630771ed59645f07e2e44866dc1ec3949e2090a2
348ef19495451daf907eda76f4ac395779e287afaaacfea0df07f048efc20109
6770c75026c53334eba0ab25938787cd72513b720c0782ef49e2fe316bb7d470
7d13ee531a347b669460fa3baafcd42c93fcdeb44e8d7c8a59aa3ba36ab5e17e
01453b5c19f88ffeb1ed1c9ab3aa63879c3967cd25ce03ad15c5435e027f185a
e4d96258c51cc4e4196c566e116077e7dc443a153e2ab651268ccd09c003d792
5840a26ff1eff0a0a9f9af023b4ba78c29b48e9319363e5a7edd90d83fac3a59
84793a0abafb1359181904ef25ecc2aa98520bd224113dae140d9e631bd6b77e
3ba7ad2a718413ab6d36dd156bbdd5ac1bcca860f039b14c4cb4382aee58bc88
7d39ff7529f7332c14740d39770ca4c230f5b8d92d06383db8c9919156c5cebc
Domains
freebieslounge.com
antipiracypetition.com
cdntechone.com
gloimg.gbtcdn.com
yqmxfz.com
limeclassycaption.com
cdn.cyberdrop.to
www.shorturl.at
slimgreen.rest
www.httpdebugger.com
ckgroundan.xyz
fluxteam.xyz
assets-tracking.crazyegg.com
api.mxtoolbox.com
mxtoolbox.com
tms-global.intel.com
www.tricentis.com
www.xxxpool.xyz
www.onevisionofqueenofficial.com
www.olivekilometer.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More