Various industries in the United States and South Korea were targeted during the third quarter of the year in several high-volume FormBook distribution campaigns, FireEye reports.
As part of these campaigns, the attackers used various delivery mechanisms, including PDF documents containing download links, DOC and XLS files with malicious macros, and archive files containing executables.
The security researchers noticed that the PDF and DOC/XLS documents were mainly used to target organizations in the U.S., while the archives were used both in the U.S. and South Korea attacks. Impacted sectors included aerospace, defense contractors, and manufacturing.
The attacks were aimed at infecting victims’ computers with the FormBook information stealer, a piece of malware being sold through various hacking forums since early 2016 and which recently registered an increase in activity.
FormBook was designed to steal a variety of information from the infected machine, including keystrokes, clipboard contents, HTTP/HTTPS/SPDY/HTTP2 forms and network requests, passwords from browsers and email clients, and screenshots, and send it to the command and control (C&C) server.
To perform its malicious routines, the malware injects itself into various processes and also installs the necessary function hooks to log keystrokes, steal clipboard contents, and extract data from HTTP sessions. Furthermore, the malware can execute commands received from the C&C to download and execute files, start processes, shutdown and reboot the system, and steal cookies and local passwords.
The threat typically uses C&C domains from newer generic top-level domains (gTLDs) such as .site, .website, .tech, .online, and .info. The domains associated with the malware’s recent activity have been registered using the WhoisGuard privacy protection service, while the server infrastructure is hosted by a Ukrainian company, FireEye discovered.
The campaigns employing PDF files to distribute the malware were using FedEx and DHL shipping/package delivery themes and a document-sharing theme. The documents, however, don’t contain malicious code, but include a link to download the payload. The malicious links recorded 716 hits across 36 countries, with the U.S. being affected the most (71% of attacks).
The email campaigns distributing FormBook via DOC and XLS files were using malicious macros for delivery. As soon as the user enabled the macro, a download URL retrieved an executable file with a PDF extension. Most of the emails targeted the United States (61% of attacks), with aerospace organizations and defense contractors being hit the most.
Emails carrying archive attachments (ZIP, RAR, ACE, and ISO) accounted for the highest distribution volume and leveraged a broad range of business related subject lines, often regarding payment or purchase orders. Most of the attacks targeted organizations in South Korea (31%) and the U.S. (22%), with the manufacturing industry being impacted the most.
The security researchers also note that FormBook was observed over the past few weeks downloading other malware families such as NanoCore.
Brad Duncan, Palo Alto Networks threat intelligence analyst and handler at the SANS Internet Storm Center, says that some of the analyzed post-infection traffic was identified as pertaining to the Punkey Point of Sale (POS) malware and not FormBook. The malware was distributed through RAR archives attached to fake FedEx delivery notices.
“While FormBook is not unique in either its functionality or distribution mechanisms, its relative ease of use, affordable pricing structure, and open availability make [it] an attractive option for cyber criminals of varying skill levels. The credentials and other data harvested by successful FormBook infections could be used for additional cyber-crime activities including, but not limited to: identity theft, continued phishing operations, bank fraud and extortion,” FireEye concludes.