Formbook

FormBook stealer is an infostealer‍ trojan available as a malware-as-service. This malware is often used by attackers with low technical literacy and little programming knowledge. FormBook can be used to steal various information from infected machines.

  • Type
    Stealer
  • Origin
    Unknown
  • First seen
    1 January, 2016
  • Last seen
    22 November, 2019
Global rank
5
Week rank
9
Month rank
6
IOCs
47507

What is FormBook malware?

FormBook stealer is an infostealer‍ trojan available as a malware-as-service. This malware is often used by attackers with low technical literacy and little programming knowledge. FormBook can be used to steal various information from infected machines.

Despite how easy it is to set up and use, the malware has advanced stealing functions including the ability to pull stored and recorded user input. In addition, the FormBook stealer is capable of searching for, viewing and interacting with files and taking screenshots. Even though the stealing capability of this virus can be considered somewhat average, its ease of operation and a set of effective measures that the malware takes to avoid detection by antivirus software made FormBook a popular virus in the hacker community and, unfortunately, it’s popularity is only continuing to rise in 2019.

General description of the FormBook stealer

Written in C and x86 assembly language, FormBook is sold as a PHP control panel and can be purchased on highly accessible online forums for merely 30 dollars.

Uniquely, unlike the majority of existing viruses that exploit the latest vulnerabilities or zero-days, FormBook can inject into processes and set up function hooks utilizing already known issues. Hence the claim made by the makers, that the virus will work flawlessly regardless of the Windows version.

Together with its stealer functionality, the virus knows how to execute instructions from a control server that include starting new processes and rebooting the victim’s PC. What’s more, the virus is able to record Windows’ ntdll.dll module into memory and call it directly, which makes API monitoring and user-mode hooking almost insufficient.

FormBook malware analysis

A video simulation recorded on the ANY.RUN interactive malware analysis service allows us to take an in-depth look at the behavior of this clever virus.

formbook execution process graph

Figure 1: Processes created by FormBook during execution as shown by ANY.RUN simulation

  • As shown by the ANY.RUN simulation, firstly the virus established connection to the CnC server;
  • After this, a malicious executable file, in this case pretending to be a .png is being dropped or overwritten and executed;
  • Then, FormBook proceeds to steal the personal data and change the autorun value in the registry. In addition, the virus loads DLL from Mozilla Firefox, creates files in the user directory and starts CMD.EXE to set up persistence and later begin process injection;
  • Finally, injected Firefox.exe is executed for logging keystrokes, stealing clipboard data, and extracting authentication information from browser HTTP sessions.

Distribution of the FormBook stealer

FormBook is usually distributed via email campaigns that utilized a wide array of infecting mechanisms and can contain a number of various file attachments. Among the most commonly observed attachments are either PDFs, DOC or EXE, or ZIP, RAR, ACE, and ISO files.

Campaigns in which the virus is distributed through files with PDF extensions are known to utilize shipping related themes and usually include a download link that points at the malicious code instead of the actual virus. DOC and EXE campaigns utilize macros to install and run the virus. Often, the virus is retrieved as a .PDF file in such a case. Finally, the archive campaigns are considered to be the most common attack vector for this virus and usually revolve around a business related theme, such as a payment order. In case of this attack vector, attachments either contain a link to the FormBook stealer EXE file or install and run the virus on victim's PCs directly.

FormBook execution process

Sandbox simulation performed on the ANY.RUN interactive malware hunting service allows us to investigate the behavior of FormBook in a lot of detail.

text report of the formbook malware analysis

Figure 2: A text report generated by ANY.RUN

After downloading malicious file the only thing needed to start the contamination is for the file to be opened. In a case when Microsoft Office file (doc, xls, rtf) is used as an infection source, after it is opened the malware exploits the CVE-2017-11882 vulnerability, thus Microsoft Office Equation Editor proceeds to download a malicious executable file and run it.

After infecting the victim's PC, the virus copies and renames itself into a directory that differs based on the privileges of the user. If an admin account is used, the virus installs itself in either %ProgramFiles% or %CommonProgramFiles%. On the other hand, if the privileges are not elevated, then the virus will copy itself into %TEMP% or %APPDATA.

Also, Formbook changes the autorun value in the registry depending on is it was running with normal or elevated privileges. Next, the malware copies itself into a directory it proceeds to check if it’s being run on a virtual machine or analyzed, evaluating the best anti-evasion option that can be utilized in a particular situation. Meanwhile, the virus will try to evaluate the USERNAME environment variable to find out if it’s launched in simulation, while also checking for the presence of debuggers. It should be noted that the malware uses particularly clever techniques while performing an analysis, for example, all shared strings such as command server names are decoded only briefly if they are absolutely required, which makes FormBook highly elusive. In the next step, the virus is injected into an active explorer.exe process which is only employed as a non-permanent staging ground.

The virus occasionally injects into web browser processes and explorer.exe. After injecting into the process, the virus chooses a random application from a static list. Then, the virus proceeds to run the chosen application in suspended mode and copy itself in the address space of the suspended process, thus mimicking a genuine Microsoft process. Next, the virus exits the original process which leaves FormBook's dead code in explorer.exe as a result. From this stage, new FormBook processes can inject targeted applications like web browser processes, which in the case of this particular ANY.RUN simulation is Firefox.

Depending on the objective process, the virus can establish various function hooks. Being run from inside the context of an already generated process, the virus starts to go through every currently active process, trying to identify targeted programs. As soon as a target is found, FormBook will inject itself into it and install a particular set of API hooks, that are based on the target program. The data is then saved in files in the %APPDATA% directory until it is sent to the C&C server.

How to avoid infection by FormBook

The best counteraction technique is to exhibit caution when receiving emails with attachments from unknown senders. Attackers usually use social engineering to trick victims into downloading and opening infected files.

Deleting any suspicious emails from the inbox is a good way to stay safe. If the infection is already suspected, a good practice is to check all devices connected to the network for established CnC or potentially malicious URL connections. Once a suspicious email received, perimeter settings can be adjusted to block all related emails in the future. Finally, if an infected file is already downloaded, the host should be quarantined until the threat is completely mitigated.

How to detect Formbook using ANY.RUN?

Formbook usually injects into explorer.exe and Firefox.exe processes. Knowing this information you can take a look at the process tree after a while during execution and easily determine either the sample is Formbook or not.

formbook execution process tree Figure 3: A tree of processes created by Formbook durint its execution

Conclusion

Thanks to extreme ease of use and low cost, FormBook is gaining traction in the criminal community. Not only is the virus freely accessible for download on open hacker forums and easy to set-up without any programming knowledge, but it also comes equipped with some highly advanced anti-evasion techniques, that make detecting it with anti-virus software ultra difficult. ANY.RUN interactive malware hunting service enables to study FormBook in detail from a secure environment and implement cybersecurity measure accordingly.

IOCs

IP addresses
165.160.13.20
23.231.142.63
198.251.81.30
185.53.178.6
163.171.132.119
162.241.148.253
143.204.214.36
185.53.179.8
172.217.18.115
184.168.221.40
184.168.221.33
198.185.159.145
142.111.17.7
35.186.238.101
37.252.15.53
73.180.153.157
199.188.203.224
185.53.179.29
173.239.5.6
167.99.137.12
Hashes
0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894
Domains
s.csbew.com
www.elementorlandosouthwest.com
msl-lock.com
www.amazonrochester.com
mail.login.citrixonline.com
verify.com
www.jacuzziofirvine.com
www.chevroletheadtohead.com
mail.api.crowdsurge.com
mail.sheilaswheels.com
www.smartpowerinternational.com
www.allstatefloridaclaim.com
blaklader.com
www.vizeumcanada.com
jjkbargelaterialajijonencaabrera.com
rock.com
www.le-mois00.com
crediotkarma.com
lexapro.press
atijariwafa.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More