Connect with us

Hi, what are you looking for?


Malware & Threats

FormBook Infostealer Attacks Ramping Up

Attacks involving a rather unknown information stealing malware family dubbed “FormBook” have become increasingly frequent recently, fueled by the threat’s cheap price and the availability of a cracked builder, Arbor Networks security researchers warn.

Attacks involving a rather unknown information stealing malware family dubbed “FormBook” have become increasingly frequent recently, fueled by the threat’s cheap price and the availability of a cracked builder, Arbor Networks security researchers warn.

The immediate availability of FormBook on hacker forums and the release of said cracked builder have resulted in numerous malware samples surfacing recently. The threat was designed to steal data from various web browsers and applications and also contains a keylogger, in addition to the ability to take screenshots.

The malware features a complicated, busy malware code and also uses obfuscation to prevent detection and hinder analysis. Furthermore, it doesn’t use Windows API calls and doesn’t have obvious strings, Arbor Networks says. The researchers have analyzed version 2.9 of FormBook, but say that references to versions 2.6 and 3.0 are also made.

FormBook stores its data encrypted in various locations called “encbufs,” which vary in size and which are referenced with a variety of functions. Every encbuf contains a normal x86 function prologue and two building blocks that are decryption functions, one of which is meant to iterate through the encrypted data and copy only select portions to the plaintext data, the researchers say.

The malware makes calls to the Windows APIs at runtime via function name hashing, using the CRC32 hashing algorithm. For some calls, the hashes are hardcoded into the code, while for others the malware fetches the API hash from an encbuf. The API calls that map to network related functions (socket, htons, WSAStartup, send, connect, and closesocket) have their hashes stored in a separate encbuf.

The malware stores command and control (C&C) URLs in a “config” encbuf and uses a convoluted mechanism spread out over multiple functions to access them. It first determines which process the injected FormBook code is running in, then proceeds to decrypt the config encbuf, after which it moves to decrypting the C&C URLs as well.

Depending on the injected process, the malware can reference to up to six C&Cs, but the security researchers discovered that some of the calls are made to decoy C&Cs. Although the domains don’t overlap from one sample to another, all appear to be registered (albeit by different entities), only some of the domains appear to contain benign looking content. Most of the domains return the HTTP error “page not found,” and the security researchers believe they are decoy domains.

Advertisement. Scroll to continue reading.

While analyzing the malware’s C&C communication, the researchers also discovered messages sent to the C&C include an initial call, results of a task, screenshots, key logger logs, and form logger logs.

“FormBook is an infostealing malware that we’ve been seeing more and more of recently. Based on samples in our malware zoo and search engine results, it seems to have gotten its start sometime in early 2016. With a cheap price tag (a few hundred dollars), general availability (for sale on Hack Forums), and a supposed release of a “cracked builder,” there are quite a few FormBook samples and campaigns in the wild and we only expect to see more,” Arbor Networks concludes.

Related: Locky Ransomware Campaign Ramps Up

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...