• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • January 21st, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Cyber Crime
Phishing Scam

Data Stealer Malware Hits Critical Cyber Infrastructure in US and S.Korea

October 9th, 2017 Waqas Security, Cyber Crime, Malware, Phishing Scam 0 comments
Data Stealer Malware Hits Critical Cyber Infrastructure in US and S.Korea
Share on FacebookShare on Twitter

IT security researchers at FireEye have discovered a malware that aims to steal sensitive information from critical cyber infrastructure including Aerospace, Defense Contractors, and Manufacturing sectors in South Korea and the United States.

Dubbed FormBook, the data stealer malware is distributed using different methods which steal clipboard contents, log keystrokes and extract data from HTTP sessions. According to FireEye’s researchers Nart Villeneuve, Randi Eitzman, Sandor Nemes and Tyler Dean:

“While FormBook is not unique in either its functionality or distribution mechanisms, its relative ease of use, affordable pricing structure, and open availability make FormBook an attractive option for cybercriminals of varying skill levels.” 

FormBook distributed itself in PDFs with download links; .DOC and .XLS files with malicious macros; and archive files (e.g. .ZIP & .RAR) with .EXE payloads. Upon infecting a targeted device, the malware can send instructions to Command & Control server such as stealing passwords, cookies execute files, start processes, shutdown and reboot the system.

FormBook Malware Hits Critical Cyber Infrastructure in US and S.Korea

Example PDF campaign attachment / Credit: FireEye

“The credentials and other data harvested by successful FormBook infections could be used for additional cybercrime activities including, but not limited to: identity theft, continued phishing operations, bank fraud, and extortion,” said FireEye.

The malware has been available for sale on several hacking forums since 2016. However, researchers have now discovered that it also downloads NanoCore, a remote access trojan (RAT) first identified in 2013 and extensively sold on the dark web. Its author, Taylor Huddleston was arrested in March 2017.

Data Stealer Malware Hits Critical Cyber Infrastructure in US and S.Korea

FormBook underground pricing/ Credit: FireEye

[fullsquaread][/fullsquaread]

FireEye also noted that FormBook reads Windows’ ntdll.dll module from disk into memory and calls its exported functions directly. By this, the API monitoring mechanisms can be ineffective automatically.

“It also features a persistence method that randomly changes the path, filename, file extension and the registry key used for persistence. The malware author does not sell the builder, but only sells the panel, and then generates the executable files as a service,” researchers explained.

Other than South Korea and the United States the malware has hit its targets in countries like Australia, Russia, France, United Kingdom, Germany, Poland, Ukraine, Netherlands, and Hungry. While the archive campaign targeted countries like South Korea, United States, India, Germany, Belgium, Australia, Japan, Sweden, Saudi Arabia and France.

The top 10 industry verticals affected by the Archive campaign are manufacturing 40%, Services/Consulting 17%, Telecom 13%, Financial Services 9%, Government Federal 5%, Energy Utilities 4%, Retail 4%, High-Tech 3%, Aerospace/Defense Contractor 3% and Education 2%.

Since FormBook targets Windows devices, it is high time for high-profile institutions to either upgrade their Windows OS to the latest or move to a secure one. Moreover, don’t open any unknown or suspicious emails, don’t click links in an anonymous email and avoid downloaded attachments from the email address you are not familiar with.

  • Tags
  • Cyber Crime
  • cyber war
  • dark web
  • hacking
  • Infosec
  • internet
  • Malware
  • RAT
  • security
  • South Korea
  • USA
  • Windows
Facebook Twitter LinkedIn Pinterest
Previous article Millions of Accounts From Previous Bitly and Kickstarter Breaches Exposed
Next article Hackers are compromising websites to mine cryptocoins via user's CPU
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping

Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping

Malwarebytes says it was also breached by SolarWinds hackers

Malwarebytes says it was also breached by SolarWinds hackers

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet
Security

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

22
Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping
Security

Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping

51
Malwarebytes says it was also breached by SolarWinds hackers
Hacking News

Malwarebytes says it was also breached by SolarWinds hackers

60

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us