During the past few months, malware campaigns distributing a previously unknown infostealer have ramped up, according to reports by Arbor Networks, FireEye, and the Internet Storm Center (ISC SANS).
The malware is named FormBook and has been sold on an infamous underground hacking forum since mid-July.
Taking into account the three reports that highlight an increased spike in FormBook distribution, it's clear that FormBook's author, a user named ng-Coder, has hit a sweet spot that balances a low price and acceptable features that has several groups of cybercriminals flocking to use his services.
According to FireEye researchers, the malware is not sold as a builder that crooks download on their PCs and use it to create unique FormBook samples, but as a PHP control panel.
Users can rent access to a hosted version of this panel, or they can buy it and host it on their own servers.
According to an ad seen by Bleeping Computer, the malware is rented for $29/week, $59/month, and $99/three months. Buying the panel for self-hosted cases costs someone $299.
The panel allows crooks to input the malware's desired settings and active features, and then lets buyers generate a FormBook sample.
According to analysis by Arbor and FireEye, FormBook's features aren't even that unique. The malware doesn't stand out when compared to any other infostealers currently available on the market.
Actually, it doesn't even have an extensions or plugins system, putting at the low end of the sophistication scale.
Below are FormBook's features, as confirmed by a FireEye analysis shown to Bleeping Computer today before publication.
These are slightly different from the capabilities included in FormBook's ad. The ad hints that FormBook can extract passwords from some FTP clients, but neither Arbor or FireEye have observed and detailed this behavior.
Nonetheless, FireEye has also seen some unique features as well.
One of the malware's most interesting features is that it reads Windows’ ntdll.dll module from disk into memory, and calls its exported functions directly, rendering user-mode hooking and API
monitoring mechanisms ineffective. The malware author calls this technique "Lagos Island method" (allegedly originating from a userland rootkit with this name).
It also features a persistence method that randomly changes the path, filename, file extension, and the registry key used for persistence.
Crooks who bought the FormBook malware-building panel have already started distributing payloads via spam runs, to real targets.
The malware's weaponization in such a short time after its launch is surprising. For example, Bleeping Computer has been tracking a Java-based RAT, sold on the same hacking forum, since January this year, which has failed to pop up in distribution campaigns and live infections.
FormBook malware distribution emails have been documented in an ICS SANS report here. FireEye reveals that most of the targeted organizations are active in the Aerospace, Defense Contractor, and Manufacturing sectors, and are predominantly located in the US and South Korea.
Most of the emails bearing FormBook malware carry file attachments in a wide variety of formats, such as PDF, DOC, XLS, ZIP, RAR, ACE, and even ISO. The documents either contain links to the FormBook EXE or they drop and execute the malware's binary on infected hosts.
"In the last few weeks, FormBook was seen downloading other malware families such as NanoCore," FireEye writes in a report. "The credentials and other data harvested by successful FormBook infections could be used for additional cyber crime activities including, but not limited to: identity theft, continued phishing operations, bank fraud and extortion."
The malware may be simple and crude, but it's more than one needs to wreak havoc inside an organization with poor security practices.