Security researchers at FireEye cybersecurity company have discovered a widespread malware distribution campaign based on FormBook virus and aimed primarily at defense contractors, aerospace, and industrial sectors of the United States, South Korea, India and Russia.
FormBook is a data stealing malware and form grabber that has been advertised in various hacking forums since last year. FormBook is offered in the black cyer market through “Malware-as-a-Service” business model. Anyone can purchase the service subscription for a week ($29), a month ($59) or 3 months ($ 99). Distributors also offer a Pro version for $299.
The attackers involved in these email campaigns a wide range of distribution mechanisms to deliver the FormBook malware to victims machines, including attached PDF files with download links, DOC and XLS files with malicious macros and archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads.
The FormBook malware injects itself into various processes and installs function hooks to log keystrokes, steal clipboard contents, and extract data from HTTP sessions. The virus can also execute commands from a C&C server. The commands include instructing the malware to download and execute files, start processes, shutdown and reboot the system, and steal cookies and local passwords.
According to the experts, FormBook exploits already known system vulnerabilities.
Most attacks using FormBook malware are observed in the USA (71%), South Korea (31%), India (17%) and Russia (5%).