New Distribution Method Makes FormBook Malware More Insidious

The data-stealing malware FormBook made a large impact on the U.S. and South Korean aerospace, defense, and manufacturing sectors last summer. Now, researchers at Menlo Security are reporting another wave of FormBook attacks directed at the financial and information services sectors in the United States and Middle East. These new attacks have the same outcome, though a new delivery method could broaden the overall impact of the malware.

Hacker Malware

AndreyPopov / iStock / Getty Images Plus / Getty Images

The multistage attack starts with a malicious .docx file attached to a phishing e-mail. Though Menlo Security doesn’t state what these e-mails were in reference to, cybersecurity firm FireEye notes that in previous attacks, the .docx and PDF files spoofed documents sent by shipping companies.

Unlike the previous attacks, however, these newer malicious Microsoft® Word files do not require the victim to click a link or enable macros. Instead, the document contains an embedded Uniform Resource Locator (URL) in a frameset Hypertext Markup Language (HTML) tag. When opened, the frame triggers the HTML tag to contact the Command and Control (C2) Server, which downloads an infected Rich Text File (.RTF).

The second stage of the attack utilizes a “design behavior in RTF documents.” When opened, an .RTF file drops any embedded objects into the %TEMP% directory of Windows. To execute this without requiring the victim to open the file, the attackers make use of a remote code execution vulnerability, which executes the dropped object in the %TEMP% directory. This process then installs the FormBook malware.

Once installed, FormBook starts working to steal a variety of user data and “is capable of keystroke logging, stealing clipboard contents and extracting data from HTTP sessions … the malware can also execute commands from a [C2] server such as instructing the malware to download more files, start processes, shutdown and reboot a system and steal cookies and local passwords.” It also contains measures to make itself persistent, and it resists detection by antivirus software.

Writing about the 2017 attacks for Threat Post, Tom Spring said that FormBook is unique from other data-stealing malware in that it is part of the cybercrime as a service economy. The FormBook developer is providing an affordable service to threat actors who may not have the skills to execute these kinds of attacks. This wide availability exponentially increases the risk of attack by putting the tools in the hands of more cybercriminals. When combined with the updated delivery method, this iteration of FormBook could provide threat actors with a data windfall.

The critical vulnerability utilized in these attacks (CVE-2017-8570) was patched in July 2017. So, if you or your IT staff are regularly installing Microsoft patches, you should be covered. If you’re unsure, it doesn’t hurt to double-check.