Skip to main content

New FormBook malware sweeps US, Korea

(Image credit: Photo Credit:

High-volume FormBook malware distribution campaigns have targeted businesses in the aerospace, defence contractor and manufacturing sectors according to new research from the cybersecurity company FireEye. 

The attackers behind these campaigns employed a variety of delivery methods to distribute this information stealing malware including PDFs with download links, DOC and XLS files which contained malicious macros and ZIP, RAR, ACE and ISO archive files containing executable payloads. 

FireEye found that the PDF and DOC/XLS campaigns were primarily directed at businesses in the US while the archive campaigns impacted both the US and South Korea.  

The FormBook malware itself steals data and captures the contents of forms.  Since 2016, this malware has been advertised on a number of hacking forums and attackers that wish to utilise it to steal user data could do so for $29 per week, $59 per month, $99 per three months or could even buy a pro package for $299. 

FormBook operates by injecting itself into various processes and installing function hooks to log keystrokes, steal the contents of a user's clipboard and extract data from HTTP sessions.  The malware is also able to execute commands from a command and control server including instructing the malware to download and execute files, start processes, shutdown or reboot the system as well as steal cookies and local passwords stored on the infected device. 

The FormBook malware is especially difficult to detect because it features a persistence method capable of changing the path, filename, file extension and the registry key used for persistence. 

The creator of this malware does not sell the builder but only the panel which then generates the executable files as a service. 

Cybercriminals have begun to use the FormBook malware due to its relative ease of use, affordable pricing structure and open availability.  This is likely not the last will hear of this malware being deployed and used in cyber attacks. 

Image Credit: / Shutterstock

After living and working in South Korea for seven years, Anthony now resides in Houston, Texas where he writes about a variety of technology topics for ITProPortal.