FormBook Malware Campaign Targets US & South Korean Defence Contractors

Important commercial industries in both the United States and South Korea are currently being targeted by the FormBook malware distribution campaign.

That is the warning by security specialists FireEye, which said the aerospace, defence contractor, and manufacturing sectors are being hit in the third quarter of this year.

It comes amid heightened tensions on the Korean peninsular, as North Korea defies United Nations sanctions and presses ahead with its nuclear program and highly aggressive missile tests over Japan.

FormBook Malware

The FireEye warning was made in a blog posting on the matter, in which is provided a full technical breakdown of the malware.

FireEye said the “significant” FormBook email campaigns is using a variety of distribution mechanisms to deliver the information-stealing FormBook malware.

These include attached PDFs files with download links, Microsoft Word and Excel documents containing malicious macros, and finally archive files (i.e. ZIP, RAR, ACE, ISOs) containing nasty EXE payloads.

According to FireEye, the PDF and .Doc and .Xls campaigns have mostly impacted the United States, whereas the Archive campaign has been mostly targetting both the US and South Korea.

The FormBook malware is described as data stealer and form grabber, but not a fully fledged piece of banking malware. It has been advertised in various hacking forums since early 2016. The hackers have even placed glossy adverts for the malware on the criminal forums.

It targets Windows-based systems (XP, Vista, 7, 8 and 10) and can be hosted for just $29 per week for the full malware package.

The way it works is the malware injects itself (via its various email campaigns) onto local machines. From there is burrows into various processes, and installs function hooks to log keystrokes, steal clipboard data, and mine data from HTTP sessions.

The malware has a definite mean streak, as it can also execute commands from a command and control (C2) server, such as download and execute other files, or start processes, perform shutdowns or reboots, and even steal cookies and local passwords.

The FormBook campaign has been detected by FireEye as running between 18 July and 17 August, and much of the activity was centred on South Korea and the United States, with the manufacturing sector bearing the brunt of the attack.

India and Germany have also been hit, although the UK seems to have escaped its attention, for now.

“While FormBook is not unique in either its functionality or distribution mechanisms, its relative ease of use, affordable pricing structure, and open availability make FormBook an attractive option for cyber criminals of varying skill levels,” said FireEye.

“In the last few weeks, FormBook was seen downloading other malware families such as NanoCore,” the security specialist warned. “The credentials and other data harvested by successful FormBook infections could be used for additional cyber crime activities including, but not limited to, identity theft, continued phishing operations, bank fraud and extortion.

Malware Campaigns

It should be noted that other malware campaigns have been targetting the US and South Korea of late.

In August for example Malwarebytes warned that the Cerber ransomware was being delivered to specific countries in Asia, most notably South Korea.

Indeed, it found that South Korea was the most impacted country amid a slew of ongoing malvertising campaigns.

Do you know all about security in 2017? Try our quiz!