FormBook is an infostealer malware that was first discovered in 2016. It steals various types of data from infected systems, including credentials cached in web browsers, screenshots, and keystrokes. It also has the ability to act as a downloader, enabling it to download and execute additional malicious files. It operates under a Malware as a Service (MaaS) model, where cybercriminals can purchase access to the malware for a relatively low price.
According to Check Point’s 2022 Cybersecurity Report, FormBook was the third most prolific malware in 2021, attacking 5% of corporate networks. It was also the most prolific infostealer malware, accounting for 16% of attacks worldwide.
FormBook’s business model is based on providing access to the malware for cheap without selling a means for delivering it to a target. Subscribers to FormBook also purchase a means of deploying the malware, such as embedding it in a malicious document contained within a phishing email. Since the malware itself is decoupled from the delivery mechanism, FormBook uses a variety of infection techniques, with phishing emails being the most common.
Once it achieves execution on an infected system, the FormBook malware unpacks its malicious functionality and injects its code into various processes. This malicious code uses various hooks to gain access to keystrokes, screenshots, and other functions. The malware can also receive commands from its operator to steal information from browsers or download and execute other malware.
As a MaaS offering, FormBook malware can be deployed by various threat actors. With many different delivery mechanisms and threat actors behind FormBook attacks, individuals and organizations in any industry vertical could potentially be targeted by the malware.
However, it has been used in large-scale campaigns targeting particular industry verticals. For example in 2017, FormBook was used in campaigns targeting the defense and aerospace industries. In 2022 during the war between Russia and Ukraine, cyber threat actors used the malware to attack Ukrainian targets. Currently, it is assumed that XLoader malware is the successor of Formbook.
FormBook malware uses various techniques to infect computers and steal sensitive information from them. Some methods for managing the risk posed by FormBook malware include:
FormBook is a sophisticated infostealer malware with advanced evasion techniques. It obfuscates its initial payload and injects itself into legitimate processes to hide itself from detection and complicate the removal process. For this reason, FormBook malware is best removed by an endpoint security solution. These solutions can identify a FormBook infection on a computer and ensure that the malware’s presence is completely eliminated.
FormBook malware is one of the leading infostealer malware threats that organizations face today. Learn more about FormBook and the other leading threats of the current cyber threat landscape by checking out Check Points 2022 Cyber Security Report.
Check Point Harmony Endpoint provides protection against FormBook and other leading and zero-day threats to corporate endpoints. To learn more about Harmony Endpoint’s capabilities and why it is an essential component of a corporate endpoint security strategy, sign up for a free demo today.