Recent investigations by security experts have unveiled a noteworthy shift in tactics among sophisticated hacking groups. Rather than developing proprietary malware or exploiting zero-day vulnerabilities, these adversaries are increasingly opting to use off-the-shelf malware—similar to the actions of amateur hackers, often referred to as “script kiddies.” This strategy may serve state-sponsored actors well by making it more challenging to trace the origin of attacks.
Among the organizations tracking this trend are Arbor Networks and FireEye, both of which have independently reported ongoing malware campaigns. These campaigns seem to focus predominantly on organizations within the aerospace, defense, and manufacturing sectors, impacting targets across several nations, including the United States, Thailand, South Korea, and India.
The malware at the center of these operations is known as FormBook, an information and password-stealing tool that has gained traction in underground hacking forums since 2016. FormBook operates under a “malware-as-a-service” model, allowing anyone to rent its capabilities for merely $29 per week or $59 per month. This malware suite boasts extensive spying functionalities, including keystroke logging, password extraction, network sniffing, and the ability to take screenshots.
Researchers have observed that the attackers typically distribute FormBook via email attachments, which can take various forms, including PDF files with malicious links, Microsoft Word and Excel documents containing harmful macros, and compressed archives (ZIP, RAR) harboring executable payloads. These methods align with initial access techniques outlined in the MITRE ATT&CK framework.
Once infiltrated into a target system, FormBook embeds itself within active processes, capturing keystrokes and siphoning sensitive information from a variety of applications, which encompasses popular web browsers and email clients like Google Chrome, Firefox, and Microsoft Outlook. The data collected is then transmitted to a remote command and control server, which allows the attackers to execute further commands, including system shutdowns and process terminations. This technique indicates the use of persistence mechanisms under the adversary tactics outlined in the MITRE ATT&CK Matrix.
The malware’s sophistication is evident, as it employs a technique that directly reads Windows’ ntdll.dll module from memory, complicating traditional detection methods including user-mode hooking and API monitoring. FireEye has identified this approach as the “Lagos Island method,” linking it to prior uses in userland rootkits.
Furthermore, FormBook has demonstrated its adaptability by downloading other malicious software, such as NanoCore, enhancing the array of threats to targeted entities. The data harvested by FormBook can facilitate a range of cybercriminal activities, including identity theft, phishing, bank fraud, and various forms of extortion.
While FormBook presents itself as a lucrative tool for cybercriminals, it is neither particularly advanced nor difficult to detect. As such, businesses are strongly advised to maintain up-to-date antivirus solutions on their systems as a primary line of defense against such threats. Awareness and proactive cybersecurity measures remain critical in safeguarding sensitive data against this rising trend in cyber attacks.