Security Experts:

Connect with us

Hi, what are you looking for?



FormBook Campaigns Target U.S., South Korea

Various industries in the United States and South Korea were targeted during the third quarter of the year in several high-volume FormBook distribution campaigns, FireEye reports.

Various industries in the United States and South Korea were targeted during the third quarter of the year in several high-volume FormBook distribution campaigns, FireEye reports.

As part of these campaigns, the attackers used various delivery mechanisms, including PDF documents containing download links, DOC and XLS files with malicious macros, and archive files containing executables.

The security researchers noticed that the PDF and DOC/XLS documents were mainly used to target organizations in the U.S., while the archives were used both in the U.S. and South Korea attacks. Impacted sectors included aerospace, defense contractors, and manufacturing.

The attacks were aimed at infecting victims’ computers with the FormBook information stealer, a piece of malware being sold through various hacking forums since early 2016 and which recently registered an increase in activity.

FormBook was designed to steal a variety of information from the infected machine, including keystrokes, clipboard contents, HTTP/HTTPS/SPDY/HTTP2 forms and network requests, passwords from browsers and email clients, and screenshots, and send it to the command and control (C&C) server.

To perform its malicious routines, the malware injects itself into various processes and also installs the necessary function hooks to log keystrokes, steal clipboard contents, and extract data from HTTP sessions. Furthermore, the malware can execute commands received from the C&C to download and execute files, start processes, shutdown and reboot the system, and steal cookies and local passwords.

The threat typically uses C&C domains from newer generic top-level domains (gTLDs) such as .site, .website, .tech, .online, and .info. The domains associated with the malware’s recent activity have been registered using the WhoisGuard privacy protection service, while the server infrastructure is hosted by a Ukrainian company, FireEye discovered.

The campaigns employing PDF files to distribute the malware were using FedEx and DHL shipping/package delivery themes and a document-sharing theme. The documents, however, don’t contain malicious code, but include a link to download the payload. The malicious links recorded 716 hits across 36 countries, with the U.S. being affected the most (71% of attacks).

The email campaigns distributing FormBook via DOC and XLS files were using malicious macros for delivery. As soon as the user enabled the macro, a download URL retrieved an executable file with a PDF extension. Most of the emails targeted the United States (61% of attacks), with aerospace organizations and defense contractors being hit the most.

Emails carrying archive attachments (ZIP, RAR, ACE, and ISO) accounted for the highest distribution volume and leveraged a broad range of business related subject lines, often regarding payment or purchase orders. Most of the attacks targeted organizations in South Korea (31%) and the U.S. (22%), with the manufacturing industry being impacted the most.

The security researchers also note that FormBook was observed over the past few weeks downloading other malware families such as NanoCore.

Brad Duncan, Palo Alto Networks threat intelligence analyst and handler at the SANS Internet Storm Center, says that some of the analyzed post-infection traffic was identified as pertaining to the Punkey Point of Sale (POS) malware and not FormBook. The malware was distributed through RAR archives attached to fake FedEx delivery notices.

“While FormBook is not unique in either its functionality or distribution mechanisms, its relative ease of use, affordable pricing structure, and open availability make [it] an attractive option for cyber criminals of varying skill levels. The credentials and other data harvested by successful FormBook infections could be used for additional cyber-crime activities including, but not limited to: identity theft, continued phishing operations, bank fraud and extortion,” FireEye concludes.

Related: FormBook Infostealer Attacks Ramping Up

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...