Data Stealer Malware Hits Critical Cyber Infrastructure in US and S.Korea

IT security researchers at FireEye have discovered a malware that aims to steal sensitive information from critical cyber infrastructure including Aerospace, Defense Contractors, and Manufacturing sectors in South Korea and the United States.

Dubbed FormBook, the data stealer malware is distributed using different methods which steal clipboard contents, log keystrokes and extract data from HTTP sessions. According to FireEye’s researchers Nart Villeneuve, Randi Eitzman, Sandor Nemes and Tyler Dean:

“While FormBook is not unique in either its functionality or distribution mechanisms, its relative ease of use, affordable pricing structure, and open availability make FormBook an attractive option for cybercriminals of varying skill levels.” 

FormBook distributed itself in PDFs with download links; .DOC and .XLS files with malicious macros; and archive files (e.g. .ZIP & .RAR) with .EXE payloads. Upon infecting a targeted device, the malware can send instructions to Command & Control server such as stealing passwords, cookies execute files, start processes, shutdown and reboot the system.

FormBook Malware Hits Critical Cyber Infrastructure in US and S.Korea
Example PDF campaign attachment / Credit: FireEye

“The credentials and other data harvested by successful FormBook infections could be used for additional cybercrime activities including, but not limited to: identity theft, continued phishing operations, bank fraud, and extortion,” said FireEye.

The malware has been available for sale on several hacking forums since 2016. However, researchers have now discovered that it also downloads NanoCore, a remote access trojan (RAT) first identified in 2013 and extensively sold on the dark web. Its author, Taylor Huddleston was arrested in March 2017.

Data Stealer Malware Hits Critical Cyber Infrastructure in US and S.Korea
FormBook underground pricing/ Credit: FireEye

FireEye also noted that FormBook reads Windows’ ntdll.dll module from disk into memory and calls its exported functions directly. By this, the API monitoring mechanisms can be ineffective automatically.

“It also features a persistence method that randomly changes the path, filename, file extension and the registry key used for persistence. The malware author does not sell the builder, but only sells the panel, and then generates the executable files as a service,” researchers explained.

Other than South Korea and the United States the malware has hit its targets in countries like Australia, Russia, France, United Kingdom, Germany, Poland, Ukraine, Netherlands, and Hungry. While the archive campaign targeted countries like South Korea, United States, India, Germany, Belgium, Australia, Japan, Sweden, Saudi Arabia and France.

The top 10 industry verticals affected by the Archive campaign are manufacturing 40%, Services/Consulting 17%, Telecom 13%, Financial Services 9%, Government Federal 5%, Energy Utilities 4%, Retail 4%, High-Tech 3%, Aerospace/Defense Contractor 3% and Education 2%.

Since FormBook targets Windows devices, it is high time for high-profile institutions to either upgrade their Windows OS to the latest or move to a secure one. Moreover, don’t open any unknown or suspicious emails, don’t click links in an anonymous email and avoid downloaded attachments from the email address you are not familiar with.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.