Aerospace and defense contractors and manufacturing companies are facing a new malware threat disguised in standard business software documents that is aimed at stealing critical information for identity theft and extortion, according to a new report from cyber protection company FireEye [FEYE].
The new threat, known as FormBook, is being sold on hacking forums and uses activity logging software embedded in innocuous-seeming documents such as PDFs and Word documents to steal passwords and extract files.
“While we cannot release specifics on potentially affected clients, we can say that FormBook is primarily a credential stealer – by way of key logging and form grabbing. The campaigns were likely after credentials only; however, it is common practice for cyber crime actors to continue monetizing their efforts by using those stolen credentials for further activities such as, the sale of those credentials in the underground, continued phishing operations, bank fraud and extortion,” FireEye Analyst Randi Eitzman told Defense Daily in an interview.
Cyber criminals deliver the information-stealing malware through PDFs with download links, DOC and XLS files containing malicious macros and archived computer files with EXE payloads.
FireEye’s aerospace and defense contractors and manufacturing industry clients in the U.S. were those hit particularly hardest by the malware, according to the report, which collected data on attacks from July and August of this year.
“Because of the affiliate model (or Malware-as-a-Service) set up and its open availability on the web, it is difficult to determine the attack origins, and could be attributed to anyone who has subscribed to the service,” said Eitzman.
The malware has been advertised to cyber criminals on hacking forums since 2016.
“FormBook is an advanced internet activity logging software coded in low level language ASM/C which means it does not require any dependency to work perfectly on all versions of Windows,” according to a description in an advertisement for the malware included in FireEye’s report. “FormBook is designed with aim to give you extensive and powerful internet monitoring experience with its ultimate stability alongside flexibility that is above the edge of all existing monitoring/spy tools.”
The data-stealing malware is capable of key-logging, clipboard monitoring, grabbing HTTP and network requests, and collecting passwords from browsers and email clients. From the cyber criminal’s own command server, FormBook can be used to updates bots, shutdown systems, take screenshots, and download archived ZIP files.
“Aside from maintaining updated OS patches and running an endpoint protection service, it is crucial for end users to practice good cyber hygiene like avoiding opening suspicious or unsuspected email attachments from known or unknown sources, and avoiding clicking hyperlinks within such emails or attachments,” Eitzman said.
The majority of FireEye’s clients hit with FormBook PDF campaigns were in the U.S. Hackers used fake shipping notifications from FedEx and DHL containing links that downloaded the FormBook payload to the user’s system.
Aerospace and defense contractors faced the greatest threat from email campaigns containing DOC and XLS files with FormBook payload links, with 33 percent of all attacks directed at their industry. In August, FireEye noticed a surge of threats contained in emails with sample subject lines such as “NEW ORDER” and “URGENT PURCHASE ORDER.”
FireEye’s manufacturing industry clients faced most attacks in the form of archived ZIP files containing the FormBook payload.
The company’s second-hardest hit group were its South Korean clients, with 31% of archived file FormBook attacks aimed at the nation.
“While FormBook is not unique in either its functionality or distribution mechanisms, its relative ease of use, affordable pricing structure, and open availability make FormBook an attractive option for cyber criminals of varying skill levels,” FireEye writes in its report.