FormBook malware software is being used in focused attacks on the manufacturing and aerospace sectors according to Internet security experts at FireEye, although malware attacks are not restricted to these sectors.
So far, the malware attacks seem to have been targeting organizations in the United States and South Korea, although it is highly probably that attacks will spread to other regions due to the low cost of this malware-as-a-service, the simplicity using the malware, and its extensive functionality.
FormBook malware is being made available on underground forums and can be rented for as little as $29 per month. Executables can be set up using an online control panel, a process that requires next to no expertise. Due to this, this malware-as-a-service is likely to be used by many cybercriminals.
FormBook malware is a data stealer that can log keystrokes, take data from HTTP sessions and steal clipboard content. Using the connection to its C2 server, the malware can receive and run commands and can download files, including other malware variants. Malware variants found to have already been downloaded by FormBook include the NanoCore RAT.
FireEye researchers have also revealed that the malware can obtain passwords and cookies, start and stop Windows processes, and force a reboot of an infected computer.
FormBook malware is being spread using spam email campaigns and compressed file attachments (.zip, .rar), .iso and .ace files in South Korea, while the cyber attacks in the United States have mostly involved .doc, .xls and .pdf files. Large scale spam campaigns have been carried out to spread the malware in both countries.
The U.S campaigns identified by FireEye used spam emails linked to shipments sent via DHL and FedEx – a common choice for cybercriminals. The shipment labels, which the emails say must be printed so they can be used to collect the packages, are in PDF form. Concealed in the document is a tny.im URL that sends victims to a staging server that installs the malware. The campaigns using Office documents send the malware via malicious macros. The campaigns carried out in South Korea normally include the executables in the attachments.
While the manufacturing industry and aerospace/defense contractors are the main focus, attacks have also been aimed at a wide range of sectors, including education, services/consulting, energy and utility companies, and the financial services. All groups, regardless of their sector, should be ready for this threat.
Organizations can safeguard against this new threat by implementing good cybersecurity best practices such as setting up a spam filtering solution to prevent malicious messages and stop files such as ISOs and ACE files from being sent to end users. Organizations should also warn their staff about the threat of attack and supply training to help employees recognize this spam email campaign. Macros should also be turned off on all devices if they are not required for general work duties, and at a minimum, should be set to be run manually.