South Korea and the United States IT security researchers at FireEye have discovered a malware that aims to steal sensitive information from critical cyber infrastructure including Aerospace, Defense Contractors, and Manufacturing sectors.
Dubbed FormBook, the data stealer malware is distributed using different methods which steal clipboard contents, log keystrokes and extract data from HTTP sessions.
“While FormBook is not unique in either its functionality or distribution mechanisms, its relative ease of use, affordable pricing structure, and open availability make FormBook an attractive option for cybercriminals of varying skill levels.”
FormBook distributed itself in PDFs with download links;.DOC and.XLS files with malicious macros; and archive files (e.g. .ZIP & .RAR) with.EXE payloads. Upon infecting a targeted device, the malware can send instructions to Command & Control server such as keeping passwords, cookies execute files, start processes, shutdown and reboot the system.
Those credentials and other data collected by successful FormBook diseases could be used for added cybercrime activities including, but not limited to: identity theft, continued phishing operations, bank fraud, and extortion,” said FireEye.
Some malware has been open for sale on individual hacking conferences since 2016. Still, researchers have now determined that it downloads NanoCore, a remote access trojan (RAT) first identified in 2013 and extensively sold on the dark web. Its author, Taylor Huddleston was arrested in March 2017.
FireEye also noted that FormBook reads Windows’ ntdll.dll module from disk into memory and calls its exported functions directly.The API monitoring mechanisms can be ineffective automatically.
“It also features a persistence method that randomly changes the path, filename, file extension and the registry key used for persistence. Special malware author does not bargain the maker, but only sells the panel, and then generates the executable files as a service,” researchers explained.
Other than South Korea and the United States the malware has hit its targets in countries like Australia, Russia, France, United Kingdom, Germany, Poland, Ukraine, Netherlands, and Hungry. While the archive campaign targeted countries like South Korea, United States, India, Germany, Belgium, Australia, Japan, Sweden, Saudi Arabia and France.
The top 10 industry verticals affected by the Archive campaign are manufacturing 40%, Services/Consulting 17%, Telecom 13%, Financial Services 9%, Government Federal 5%, Energy Utilities 4%, Retail 4%, High-Tech 3%, Aerospace/Defense Contractor 3% and Education 2%.
Since FormBook targets Windows devices, it is high time for high-profile institutions to either upgrade their Windows OS to the latest or move to a secure one. Moreover, don’t open any unknown or suspicious emails, don’t click links in an anonymous email and avoid downloaded attachments from the email address you are not familiar with.