Skip to main content

FormBook Infostealer Malware

The malware tool, FormBook, has grown in popularity recently and has been spotted as part of several malware distribution campaigns. It can be purchased for a relatively low price and has many different functions and uses, such as keylogging, stealing data from applications and taking screenshots.
Threat ID:
CC-1702
Category:
Spyware
Threat Severity:
Medium
Threat Vector:
Macro, Email spam
Published:
16 October 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

The malware tool, FormBook, has grown in popularity recently and has been spotted as part of several malware distribution campaigns. It can be purchased for a relatively low price and has many different functions and uses, such as keylogging, stealing data from applications and taking screenshots.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

  • Microsoft Windows - All versions

Threat details

When installed, the malware can execute commands that allow an attacker to shut down, execute files and steal local passwords from a user’s machine. Another more notable feature from the kit has been called the “Lagos Island method” by its creator. This feature disables user-mode hooking and Application Programming Interface (API) monitoring on the target systems. The malware has been deployed via a number of files and methods, including malicious links in .pdf files, macro-enabled .doc files and archive files (such as .zip and .rar) containing .exe payloads. The malware is able to execute commands from it's command and control server, enabling the attacker to execute files, start processes and steal passwords.

Threat updates

Date Update
18 Apr 2018

A new type of document attack has been observed delivering Formbook. This attack take advantage of an unpatched vulnerabilityCVE-2017-8570, that allows it to initiate malicious activity without macros being enabled. The initial document itself contains no malicious content and as such does not trigger any security products.

Remediation steps

Type Step
  • Ensure users are aware of basic phishing practices (don’t click on attachments from senders you don’t recognise).
  • Maintain up-to-date anti-virus.
  • Be aware of files including PDF, DOC, XLS, ZIP, RAR, ACE, and ISO format attachments.
  • Monitor logs for indicators or compromise.

CVE Vulnerabilities

Status

CVE-2017-8570

Last edited: 17 February 2020 11:31 am