FormBook has grown in popularity recently and has been spotted as part of several malware distribution campaigns. It can be purchased for a relatively low price and is able to execute commands from its command and control (C2) server, enabling the attacker to execute files, start processes and steal passwords.
Another more notable feature of the kit, called the “Lagos Island method” by its creator, can disable user-mode hooking and Application Programming Interface (API) monitoring on the target systems.
The malware has been deployed through many files and methods, including malicious links in .pdf files, macro-enabled .doc files and archive files (such as .zip and .rar) containing .exe payloads.
Microsoft Windows – all versions
- Ensure users are aware of basic phishing practices (don’t click on attachments from senders you don’t recognise).
- Maintain up-to-date anti-virus.
- Be aware of files including PDF, DOC, XLS, ZIP, RAR, ACE, and ISO format attachments.
- Monitor logs for indicators or compromise.