Security researchers from Arbor Networks and FireEye, have found a series of malware (dubbed FormBook) attacks primarily targeting aerospace, defense contractors, and manufacturing in many countries, including the USA, Thailand and South Korea. They found that the PDF and DOC/XLS documents were largely used to target organizations.
FormBook malware was created to steal data from the infected computers, including keystrokes, clipboard contents, HTTP/HTTPS/SPDY/HTTP2 web forms and network requests, passwords from web browsers and email clients, and screenshots, and transfer it to the attacker server.
According to FireEye researchers:
“We observed several high-volume FormBook malware distribution campaigns primarily taking aim at Aerospace, Defense Contractor, and Manufacturing sectors within the U.S. and South Korea during the past few months. The attackers involved in these email campaigns leveraged a variety of distribution mechanisms to deliver the information stealing FormBook malware, including:
– PDFs with download links
– DOC and XLS files with malicious macros
– Archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads”
Anyone on the internet can rent FormBook malware for only $29 per 7 days or $59 per 30 days, which gives a variety of advanced spying abilities on target computers, including a keylogger, password stealer, network sniffer, taking the screenshots, web form data stealer and much more.
FormBook is a data stealer and form grabber that has been sold in many hacking forums since early 2016. It was seen downloading other malware families such as NanoCore. The credentials and other information collected by successful FormBook infections could be used for additional cybercrime activities.