What is FormBook Malware?

FormBook is an infostealer malware that was first discovered in 2016. It steals various types of data from infected systems, including credentials cached in web browsers, screenshots, and keystrokes. It also has the ability to act as a downloader, enabling it to download and execute additional malicious files. It operates under a Malware as a Service (MaaS) model, where cybercriminals can purchase access to the malware for a relatively low price.

According to Check Point’s 2022 Cybersecurity Report, FormBook was the third most prolific malware in 2021, attacking 5% of corporate networks. It was also the most prolific infostealer malware, accounting for 16% of attacks worldwide.

Request a Demo Download the Cyber Security Report

How Does it Work?

FormBook’s business model is based on providing access to the malware for cheap without selling a means for delivering it to a target. Subscribers to FormBook also purchase a means of deploying the malware, such as embedding it in a malicious document contained within a phishing email. Since the malware itself is decoupled from the delivery mechanism, FormBook uses a variety of infection techniques, with phishing emails being the most common.

Once it achieves execution on an infected system, the FormBook malware unpacks its malicious functionality and injects its code into various processes. This malicious code uses various hooks to gain access to keystrokes, screenshots, and other functions. The malware can also receive commands from its operator to steal information from browsers or download and execute other malware.

As a MaaS offering, FormBook malware can be deployed by various threat actors. With many different delivery mechanisms and threat actors behind FormBook attacks, individuals and organizations in any industry vertical could potentially be targeted by the malware.

However, it has been used in large-scale campaigns targeting particular industry verticals. For example in 2017, FormBook was used in campaigns targeting the defense and aerospace industries. In 2022 during the war between Russia and Ukraine, cyber threat actors used the malware to attack Ukrainian targets. Currently, it is assumed that XLoader malware is the successor of Formbook.

How to protect against FormBook Malware

FormBook malware uses various techniques to infect computers and steal sensitive information from them. Some methods for managing the risk posed by FormBook malware include:

  • Anti-Phishing Solutions: Phishing emails are the most common delivery mechanism for malware such as FormBook. Anti-phishing solutions that can identify and block emails containing obfuscated malicious content, such as FormBook malware, are essential for minimizing an organization’s malware risk.
  • Content Disarm and Reconstruction (CDR): One common delivery mechanism for FormBook malware is embedding it within a document sent to the intended target. CDR solutions can excise malicious functionality from an infected document and rebuild the sanitized document to send on to the intended recipient.
  • Endpoint Detection and Response (EDR): FormBook uses various techniques to evade detection and gain access to the sensitive information that it transmits to its operator. An EDR solution installed on an infected endpoint can help to identify the infection and initiate the process of remediating the malware infection.
  • Multi-Factor Authentication (MFA): Infostealers like FormBook are commonly designed to steal login credentials and grant attackers access to corporate online accounts. Deploying MFA across the enterprise makes it more difficult for an attacker to make use of the stolen credentials.
  • Zero Trust Security Model: A successful FormBook attack ends with the attacker in control of one or more of a target’s accounts. Implementing zero trust security principles and minimizing the access and permissions granted to any account help to limit the damage done by these account takeover attacks.
  • Employee Cyber Awareness Training: Phishing campaigns that deliver malware are designed to trick the recipient into executing the malware on their computer. Employee cybersecurity training can teach employees to recognize potential phishing attacks and respond appropriately to minimize the risk to themselves and the organization.

How Can FormBook Malware Be Removed?

FormBook is a sophisticated infostealer malware with advanced evasion techniques. It obfuscates its initial payload and injects itself into legitimate processes to hide itself from detection and complicate the removal process. For this reason, FormBook malware is best removed by an endpoint security solution. These solutions can identify a FormBook infection on a computer and ensure that the malware’s presence is completely eliminated.

FormBook Detection and Protection with Check Point

FormBook malware is one of the leading infostealer malware threats that organizations face today. Learn more about FormBook and the other leading threats of the current cyber threat landscape by checking out Check Points 2022 Cyber Security Report.

Check Point Harmony Endpoint provides protection against FormBook and other leading and zero-day threats to corporate endpoints. To learn more about Harmony Endpoint’s capabilities and why it is an essential component of a corporate endpoint security strategy, sign up for a free demo today.

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.