Things are beginning to look different with hackers eyeing on cheap ready-made malware instead of investing in zero days and developing their sophisticated malware. This could be a blessing in disguise for state-sponsored hackers to avoid being attributed easily
According to Arbor Networks, FireEye, and the Internet Storm Center (ISC SANS) have individually during the last few months discovered a series of malware campaigns targeted towards aerospace, defense contractors and manufacturing sectors across the globe in various countries like the United States, Thailand, South Korea and India.
The malware used in these attacks is common namely FormBook which was sold on Darknet forum since mid-July.
Malware Rental Price Is Low
FormBook’s author, a user named ng-Coder got it right with setting a low price and acceptable features to it. Naturally, it was like attracting the cybercriminals to the honey flocking to use his services.
The FarmBook can be rented for $29/week, $59/month, and $99/three months. For those who wish to own it can also purchase it for $299. The panel comes with a range of advanced spying capabilities on target machines, including a keylogger, password stealer, network sniffer, taking the screenshots, web form data stealer and more.
Bleeping Computer researchers discovered attackers in each campaign primarily used emails to distribute the FormBook malware as an attachment in different forms, including PDFs with malicious download links, DOC and XLS files with malicious macros, and archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads.
- Coded in ASM/C (x86_x64)
- Startup (Hidden)
- Full PE-Injection(No dll/No drop/both x86 and x64)
- Ring3 kit
- Bin is Ballon Executable (MPIE + MEE)
- Doesn’t use suspicious windows API
- No blind hook, all hooks are thread safe including the x64, so crash is unlikely
- All communication with panel are encrypted
- Install Manager
- File Browsing (FB-Connect)
- Full Unicode-Support
- Supported Browsers
- HTTP, HTTPS, SPDY, HTTP/2, KEYSTROKE, CUPBOARD & PASSWORD RECOVERY (both 32bits and 64 bits browser)
The malware injects itself into various processes once it is installed on the target machine.It starts capturing keystrokes and extracts stored passwords. As well as extracts sensitive data from multiple applications like Google Chrome, Firefox, Skype, Safari, Vivaldi, Q-360, Microsoft Outlook, Mozilla Thunderbird, 3D-FTP, FileZilla, and WinSCP.
Attackers are able to execute other commands on the targeted system as FormBook continuously sends all the stolen data to a remote command and control (C2) server. Apart from this, they are also able to start processes, shutdown and reboot the system, and steal cookies.
The researchers also noticed past few weeks, FormBook downloading other malware families such as NanoCore.
Data harvested by FormBook can easily be used by the attacker for further cybercriminal activities including, identity theft, continued phishing operations, bank fraud and extortion. FormBook is a cheap easy to use and can also be easily detected all you need is a good anti-virus software and make sure it is updated.