FireEye Warns of Expanding FormBook Malware Attacks

Security firm FireWay issued a report on Oct. 5 warning of a new outbreak of FormBook malware. The new malware campaign has been specifically aimed at the U.S and South Korea, with aerospace, defense and manufacturing vendors being the primary targets.

Making things particularly challenging with the FormBook attack is that the malware is sold as a service that can be bought by anyone.

“Because of the affiliate model (or Malware-as-a-Service) set up and its open availability on the web, it is difficult to determine the attack origins, and could be attributed to anyone who has subscribed to the service,” Randi Eitzman, FireEye Analyst, told eSecurityPlanet.

FormBook is being distributed via different document formats, including PDF, DOC and archive files that have some form of download link, macro or executable payload.

For the PDF based version of the new FormBook attack detected by FireEye, the attackers made use of FedEx and DHL shipping/package delivery as the theme, with fake package delivery notifications.

“The malware injects itself into various processes and installs function hooks to log keystrokes, steal clipboard contents, and extract data from HTTP sessions,” FireEye’s research explains. “The malware can also execute commands from a command and control (C2) server.”

The malware abuses existing functionally and known issues, rather than exploiting any new zero-day vulnerabilities. Eitzman said that the FormBook malware/payload itself does not target a specific vulnerability.

While FireEye has able to determine some of the impact from the new FormBook attacks, Eitzman noted that the total number of “victims” cannot be determined as the activity observed and reported on is based on FireEye telemetry data (based on detections of the FormBook malware sample contained within the report).

“We cannot accurately determine the totality of scope (or “success rate”) of the campaign, as it was widespread and likely affected organizations that are not protected by FireEye technology,” he added.

From a detection perspective, Eitzman said that the FormBook malware sample provided in the report is detected by some of the security technologies that contribute to VirusTotal.

“However,?it must be noted that FormBook will likely continue to be distributed via a variety of means and used in conjunction with packers that obfuscate the payload,?so the rate of detection will not remain constant,” Eitzman said.

For end-user, there are several things that can be done to help limit the risk of being exploited by FormBook malware,?including using well-known security best practices.

“Aside from maintaining updated OS patches and running an endpoint protection service, it is crucial for end users to practice good cyber hygiene, like avoiding opening suspicious or unsuspected email attachments from known or unknown sources, and avoiding clicking hyperlinks within such emails or attachments,” he said.

Sean Michael Kerner is a senior editor at eSecurityPlanet and Follow him on Twitter @TechJournalist.

Sean Michael Kerner
Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Top Products

Top Cybersecurity Companies

Related articles