FormBook Infostealer Attacks Ramping Up

Attacks involving a rather unknown information stealing malware family dubbed “FormBook” have become increasingly frequent recently, fueled by the threat’s cheap price and the availability of a cracked builder, Arbor Networks security researchers warn.

The immediate availability of FormBook on hacker forums and the release of said cracked builder have resulted in numerous malware samples surfacing recently. The threat was designed to steal data from various web browsers and applications and also contains a keylogger, in addition to the ability to take screenshots.

The malware features a complicated, busy malware code and also uses obfuscation to prevent detection and hinder analysis. Furthermore, it doesn’t use Windows API calls and doesn’t have obvious strings, Arbor Networks says. The researchers have analyzed version 2.9 of FormBook, but say that references to versions 2.6 and 3.0 are also made.

FormBook stores its data encrypted in various locations called “encbufs,” which vary in size and which are referenced with a variety of functions. Every encbuf contains a normal x86 function prologue and two building blocks that are decryption functions, one of which is meant to iterate through the encrypted data and copy only select portions to the plaintext data, the researchers say.

The malware makes calls to the Windows APIs at runtime via function name hashing, using the CRC32 hashing algorithm. For some calls, the hashes are hardcoded into the code, while for others the malware fetches the API hash from an encbuf. The API calls that map to network related functions (socket, htons, WSAStartup, send, connect, and closesocket) have their hashes stored in a separate encbuf.

The malware stores command and control (C&C) URLs in a “config” encbuf and uses a convoluted mechanism spread out over multiple functions to access them. It first determines which process the injected FormBook code is running in, then proceeds to decrypt the config encbuf, after which it moves to decrypting the C&C URLs as well.

Depending on the injected process, the malware can reference to up to six C&Cs, but the security researchers discovered that some of the calls are made to decoy C&Cs. Although the domains don’t overlap from one sample to another, all appear to be registered (albeit by different entities), only some of the domains appear to contain benign looking content. Most of the domains return the HTTP error “page not found,” and the security researchers believe they are decoy domains.

While analyzing the malware’s C&C communication, the researchers also discovered messages sent to the C&C include an initial call, results of a task, screenshots, key logger logs, and form logger logs.

“FormBook is an infostealing malware that we’ve been seeing more and more of recently. Based on samples in our malware zoo and search engine results, it seems to have gotten its start sometime in early 2016. With a cheap price tag (a few hundred dollars), general availability (for sale on Hack Forums), and a supposed release of a “cracked builder,” there are quite a few FormBook samples and campaigns in the wild and we only expect to see more,” Arbor Networks concludes.

Related: Locky Ransomware Campaign Ramps Up