FormBook Malware

What Is FormBook Malware?

FormBook malware (AKA xLoader) is classified as a stealer (spyware) and, as its name implies, is known for its form-grabbing techniques to extract data directly from website HTML forms as well as its ability to steal data from keystrokes, browser autofill features, and copy-and-paste clipboards. These techniques allow FormBook to effectively capture data not explicitly typed, including credit card numbers and multi-factor authentication tokens, directly from a browser.

FormBook is also classified as Malware-as-a-Service (MaaS) because it is sold pre-compiled and ready for use in a cyberattack. FormBook's MaaS platform provides attackers access to an online command and control (C2) interface for controlling compromised systems remotely and collecting stolen data. The malware and service package sells on Dark Web forums with prices ranging from $29 for a one-week license to $299 for a full "Pro" license. 

FormBook can steal data from more than 90 different software applications, including all major browsers and a long list of less popular browsers, email clients and messaging apps, file management tools including Windows Explorer and Total Commander, and an exhaustive list of FTP clients. In 2020 a new cross-platform variant of FormBook dubbed xLoader programmed in Java and capable of stealing data from devices running Windows or macOS operating systems appeared. 

FormBook can be delivered through various first-stage tactics highly dependent on the individual threat actor distributing it. Still, its default configuration uses a self-extracting Roshal Archive (RAR) to infect targets via an embedded AutoIt script.

Upon execution, FormBook conducts extensive surveillance on the compromised system followed by a dynamic course of action depending on its level of system permissions and whether it detects debugging tools and security products that would indicate a malware analysis environment. 

FormBook further hides its activity by obfuscating hardcoded strings in its payload. Hardcoded paths and function names are broken up into small sets of characters and concatenated at runtime or otherwise scrambled and decoded immediately before execution. FormBook also imports Dynamic Link Library (DLL) modules at runtime by manually mapping all available module names and comparing them to BZip2 CRC32 hashes hardcoded into the payload to avoid cleartext use of strings that might reveal its intentions.

To maintain persistence on an infected system, FormBook installs its files into a randomly named directory, frequently changes its path, filename, and file extension, and rotates Windows AutoLoad registry keys. FormBook also comes preinstalled with many C2 domain names allowing it to swap if one C2 server is identified and blocked. 

FormBook's most potent method of detection evasion, however, is a technique known as process hollowing. This technique allows FormBook to spawn a new process from a legitimate Windows application, so it can masquerade as a legitimate process and fool security products that scan for rogue processes.

Xloader, a FormBook variant, has been designed specially to infect Apple's macOS, but its success rate is low for two reasons:

  1. MacOS does not come preinstalled with the Java Runtime Environment (JRE)
  2. Its built-in security mechanisms warn users when software is not digitally signed by its author and users must explicitly authorize software that has been downloaded from the internet.

Although FormBook steals saved data from a vast number of applications, FormBook can also infect browsers, giving the malware direct access to the document-object model (DOM) of any webpage loaded by the infected browser. This method of infection allows FormBook to scrape data directly from webpage forms immediately as the DOM is modified—even if the user does not type the password in themselves.

Signs of a FormBook Attack

FormBook is spread using phishing campaigns, typically with an invoice payment theme to trick victims into executing the primary payload. These phishing campaigns commonly use email .zip attachments that contain either a Microsoft Office .doc or .xls file with an embedded macro, a portable executable (PE) file with a .exe extension, or, more recently, a Java executable file using a .jar extension designed to compromise both Windows and macOS systems. FormBook attacks may also use customized file icons when delivered as .exe files to make the malicious file appear as a PDF. 

If executed with high-level system privileges, FormBook creates a randomly named directory in the Program Files directory. With standard user-level privileges, it stores its payload in the user-specific AppData directory or the Windows Temp directory when executed.

How to Prevent a FormBook Attack

Preventing a FormBook attack primarily depends on user awareness training that can prepare staff to identify potentially malicious files and provide standard operating procedures (SOP) for handling them. However, organizations should deploy a full range of defensive security measures to not only prevent a FormBook attack from occurring but also to minimize the potential damage of an attack and quickly detect and recover should one occur. 

A more comprehensive list of defensive tactics that can prevent a successful FormBook attack includes:

  • Consider user awareness training to educate personnel about phishing techniques and develop standard operating procedures (SOP) for handling suspicious emails and documents, and configure email clients to notify users when emails originate from outside the organization
  • Recognize the increased risk that encrypted files present and verify the context of such documents thoroughly before opening them
  • Ensure Office applications are configured with Disable all macros without notification or Disable all except digitally signed macros settings
  • Install and configure endpoint security products that scan encrypted documents immediately after they are unencrypted, detect indicators of compromise (IOCs), and take defensive action to block malicious files from executing
  • Implement Zero Trust solutions wherever possible, giving priority to critical systems 
  • Maintain up-to-date antivirus signatures and engines on all security products
  • Ensure that only authorized, digitally signed software is installed on all endpoints; regularly scan for and block any unauthorized software from executing
  • Improve visibility into remote workers' systems with endpoint security products that offer remote attestation
  • Use the principle of least privilege when architecting networks to avoid adding users to the local administrator group unless required
  • Use a content proxy to monitor internet usage and restrict user access to suspicious or risky sites
 CylanceOPTICS® provides on-device threat detection and remediation using artificial intelligence (AI) to prevent security incidents with root cause analysis, smart threat hunting, and automated detection and response capabilities. Our Endpoint Detection and Response (EDR) approach effectively eliminates response latency. It can be the difference between a minor security incident and a widespread, uncontrolled event.