It seems that sophisticated computer hackers have changed the way they perform cyber operations rather than investing zero-day and developing their formbook malware; Some groups of hackers have started to use malware already made, such as scripts.
Perhaps, this could be a smart solution for state-sponsored hackers to avoid being easily attributed.
Security researchers from several security companies, including Arbor Networks and FireEye, have independently discovered several malware campaigns targeting the aerospace, defense and manufacturing industries in several countries, including the United States, Thailand, South Korea and India.
What is common? All of these piracy campaigns, conducted by various hacking groups, end up installing the same malicious information and password software called FormBook malware on target systems.
FormBook malware is nothing more than a malware as a service, which is an affordable malware that loses information and data capture and has been announced in several hacking forums since the beginning of 2016.
Anyone can rent FormBook malware for only $ 29 a week or $ 59 a month, which offers a range of advanced spy capabilities on target machines, including a keylogger, password thief, network sniffer, screenshots, web model data stealer and much more.
According to the researchers, attackers in each campaign use mainly email to distribute FormBook malware as attachments in various forms, including PDF files with malicious download links, DOC and XLS files with malicious macros and compressed files (ZIP, RAR, and ISO) containing EXE payloads.
Also Read: 16 Natural Ways to Earn Money Online
Once installed on a target system, the malware is injected into multiple processes and begins to capture keystrokes and extracts stored passwords and other confidential data from multiple applications such as Google Chrome, Firefox, Skype, Safari, Vivaldi, Q-360, Microsoft Outlook and Mozilla. Thunderbird, 3D-FTP, FileZilla, and WinSCP.
FormBook malware continually sends all stolen data to a remote control and control server (C2) which also allows the attacker to execute other commands on the target system, including startup, shutdown, and restart the system and the cookie robbery processes.
“One of the most exciting features of malware is that it reads the Windows ntdll.dll disk module in memory and directly calls its exported functions, making the user mode and API snap mechanisms ineffective,” says FireEye.
“Malware writer calls this technique” Lagos Island Method “(supposedly coming from a user rootkit with that name)”.
According to researchers, FormBook malware has also been seen downloading other malware families like NanoCore in recent weeks.
Attackers can even use the data collected successfully by FormBook malware for other cybercrime activities, including identity theft, ongoing phishing operations, bank fraud, and extortion.
FormBook malware is neither sophisticated nor hard to detect, so the best way to protect yourself against this malware is to keep good antivirus software on your systems and keep it up to date.