Formbook is a family of data-stealing and form-grabbing malware often described as Malware-as-a-service (MaaS). Since early 2016, malware authors have offered Formbook variants via online hacking forums, frequently with surprisingly mundane subscription pricing models that closely mirror those of legitimate software tools.

Formbook’s particular range of abilities and its incorporation of evasion techniques which can thwart automatic dynamic analysis combined with its low price has seen it persist as a threat.

How Formbook works

Formbook’s developers use the Malware-as-a-Service business model. In this model, the malware developers don’t deploy the malware themselves, instead they sell the malware binary and access to the command-and-control servers. The strategy of selling Formbook has been to sell it for cheap, to as many attackers as possible. After the attacker has bought access to the service, they gain access to this simple stealer malware, but not a way to distribute it. The attackers then typically also buy access to other underground services that allow them to distribute the malware, pack the binary or load it with a document. This diverse scene of attackers and underground services led to an equally diverse set of distribution methods.

Formbook has often been proliferated by using Office documents (.RTF,  .DOC, or .XLS) laden with malicious code that exploited a Microsoft Office vulnerability known as CVE-2017-8570.

The initial attack vector has often been malspam (or malicious spam) campaigns that feature infected URLs or executable attachments loaded into spam emails. These emails often incorporate social engineering elements to make the emails appear as though they were sent from trustworthy sources such as shipping agencies, banking institutions, or even public health authorities.

When a Formbook binary is executed, the malware quickly injects itself into a range of processes while installing function hooks to harvest keystrokes or steal clipboard contents and siphon data from HTTP sessions. Formbook can also follow commands from remote command and control servers, remotely performing actions such as executing files, harvesting passwords from local user cookies, disabling the task manager, capturing screenshots, and even restarting the system.

History of Formbook

The initial version of Formbook was identified by security researchers in 2016. This earliest prototype was a simple form-grabber tool advertised and sold via hacker forums by a user named “Sl4ID3R.” The earliest versions of Formbook sold at $150 for an annual subscription.

By mid-2017, Formbook’s inexpensive entry point had solidified it as a popular choice among cybercriminals, and it became a regular component of information-stealing campaigns.

In late 2017, malware distributors were increasingly using Formbook to target larger and better-protected entities, including defense, aerospace, and manufacturing sectors.

In 2020, a significant surge of new Formbook infections stemmed from distributors who took advantage of the COVID-19 pandemic and relied on socially engineered email campaigns that impersonated public health authorities. These emails contained subject lines such as “Government Response to Coronavirus Covid-19” and held malicious attachments like “MyHealth.exe.

Autonomous Response to critical malware alerts

VMRay + Palo Alto Networks       JOINT WEBINAR