FormBook is a cheap, malware-as-a-service infostealer that appeals to operators with limited technical skills, yet it includes advanced evasion and data-collection capabilities. The article analyzes its behavior, distribution, and execution flow using ANY.RUN, highlighting key actions such as credential theft, keystroke logging, and process injection along with deceptive delivery methods.
Keypoints
- FormBook is sold as a PHP-controlled stealer and is designed for easy deployment by low-skill actors.
- It combines data theft (including keystrokes, clipboard data, and browser credentials) with evasion and anti-analysis techniques.
- The malware uses process injection (into explorer.exe and Firefox) and installs API hooks for data capture and persistence.
- Delivery relies on email campaigns with various attachments (PDF, DOC, EXE, ZIP, RAR, ACE, ISO); macros and deceptive packaging are common delivery methods.
- Office-based infection leverages CVE-2017-11882 to download and execute payloads via the Office Equation Editor.
- FormBook changes registry autorun settings for persistence and performs VM/sandbox checks to evade analysis.
- ANY.RUN simulations reveal a typical execution flow from C2 contact to payload drop, data theft, and C2 communication.
MITRE Techniques
- [T1055] Process Injection – FormBook injects into processes (e.g., explorer.exe) and installs API hooks; “the virus uses the same injection method to an active explorer.exe process which is only employed as a non-permanent staging ground.”
- [T1113] Screen Capture – The malware can take screenshots as part of its data collection; “taking screenshots.”
- [T1056.001] Keylogging – FormBook logs keystrokes; “logging keystrokes, stealing clipboard data, and extracting authentication information from browser HTTP sessions.”
- [T1115] Clipboard Data – It steals clipboard data; “stealing clipboard data.”
- [T1555.003] Credentials from Web Browsers – It extracts authentication information from browser sessions; “extracting authentication information from browser HTTP sessions.”
- [T1547.001] Boot or Logon Autostart – FormBook changes the autorun value in the registry to persist; “change the autorun value in the registry.”
- [T1203] Exploitation for Client Execution – It exploits CVE-2017-11882 to download and run payloads; “exploits the CVE-2017-11882 vulnerability…”
- [T1036] Masquerading – It masquerades as benign content (e.g., “pretending to be a .png”) to evade suspicion; “pretending to be a .png.”
- [T1204.002] User Execution: Malicious Macros – Delivery uses macros in DOC/EXE campaigns to install/run the virus; “macros to install and run the virus.”
- [T1566.001] Phishing: Spearphishing Attachment – Distributed via email campaigns with various attachments; “distributed via email campaigns that utilized a wide array of infecting mechanisms and can contain a number of various file attachments.”
- [T1071.001] Web Protocols – Establishes C2 channel; “established connection to the CnC server.”
- [T1041] Exfiltration Over C2 Channel – Data is exfiltrated to C2; “data is saved in files in the %APPDATA% directory until it is sent to the C&C server.”
- [T1497] Virtualization/Sandbox Evasion – Attempts to evade analysis (debuggers, anti-evasion checks); “checking for the presence of debuggers” and “evaluate the best anti-evasion option…”
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Uses CMD.EXE for execution/persistence; “starts CMD.EXE to set up persistence.”
Indicators of Compromise
- [File extension] Attachments used in campaigns – PDF, DOC, EXE, ZIP, RAR, ACE, ISO
- [Vulnerability] CVE-2017-11882 – Office Equation Editor exploitation to download and execute payloads
Read more: https://any.run/malware-trends/formbook