FormBook Malware Campaign Targets U.S. Organizations

Most Formbook malware attacks have targeted specific industry sectors in the United States and South Korea, but there is concern that the malware will be used in more widespread attacks around the globe. To date, the Aerospace industry, defense contractors, and the manufacturing sector have been extensively targeted; however, attacks have not been confined to these sectors. The financial services, energy and utility companies, services/consulting firms and educational institutions have also been attacked.

FireEye detected several ‘significant campaigns’ in the United States and South Korea and reports that attacks are primarily occurring via spam email. The emails being sent are generic, rather than spear phishing emails at specific targets, although the attacks are concentrated on certain industry sectors.

The malicious attachments used to download and install FormBook malware differ in the United States and South Korea. In the United States, the attackers are primarily using PDF files, Word documents and XLS spreadsheets. The Office documents contain malicious macros, which download the malware when run by end users. The PDF files contain an embedded link that, if clicked, will download the malicious payload. The emails captured by FireEye spoof DHL and FedEx and claim to contain details of shipments. In South Korea, a campaign has been detected using .ACE, .ISO, .RAR, and .ZIP files, with the executable attached to the email.

FormBook malware has persistence and can perform a wide range of functions. It is a keylogger, can capture data from the clipboard, steal cookies and passwords, can start and stop processes, force a reboot, extract data from HTTP sessions, take screenshots, and download other files. One campaign has been used to download the Nanocore Trojan onto infected devices.

While the primary purpose of FormBook malware appears to be espionage, it can be used in all manner of attacks and nefarious purposes. The malware is being used by multiple actors and is being rented via underground marketplaces as malware-as-a-service; complete with an easy to use web interface for compiling executables.  Further, the cost of hiring the malware is low – $29 per month or $299 for a full package professional option. The developers claim the malware is advanced Internet activity logging software and gives users a “powerful Internet monitoring experience”.

Due to the low price, ease of use, and the wide range of functions, this malware variant is expected to become a major threat to all businesses.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of