FormBook Infostealer & Keylogger

FormBook: Widely Distributed Infostealer for Credential Theft and Surveillance

FormBook is a Windows-based info-stealer and keylogger first seen in the wild in 2016, sold as a malware-as-a-service (MaaS) tool on underground forums. It is designed to steal browser credentials, log keystrokes, capture screenshots, and exfiltrate data to remote servers. Despite being taken down in 2020, its code lives on in variants like XLoader, and FormBook campaigns remain a persistent threat in phishing and malspam operations.

Introduction to FormBook

FormBook became popular due to its affordable pricing, ease of use, and ability to evade detection. It spread through malicious email attachments, typically containing Office documents, PDFs, or ZIP archives with embedded scripts or executables. Once installed, it operates silently in the background, targeting stored credentials, clipboard contents, and other sensitive data.

---

1. How FormBook Works

Infection Mechanism:
FormBook is typically delivered via:

• Phishing emails with malicious attachments (Office docs, PDFs, .zip/.rar files)
• Malvertising and fake software downloads
• Exploit kits targeting unpatched browsers and plugins

Payload Execution:
Once executed, FormBook:

• Steals credentials from web browsers and email clients
• Logs keystrokes and monitors clipboard data
• Takes periodic screenshots of the user’s desktop
• Sends the stolen data to a command-and-control (C2) server
• May inject code into processes to maintain stealth and persistence

---

2. History and Notable Campaigns

Origin and Discovery:
FormBook first appeared in 2016, with widespread distribution by 2017. It was advertised on dark web forums as a cheap, reliable info-stealer targeting Windows systems.

Notable Campaigns:

• Used in broad phishing campaigns targeting individuals and businesses
• Distributed through email lures posing as invoices, orders, shipping notifications
• In 2020, a takedown operation disrupted its infrastructure, but its codebase was later used in XLoader, which added macOS support

---

3. Targets and Impact

Targeted Victims and Sectors:

• Individual users, small businesses, and enterprises
• Targets are global, with no specific focus on geography or industry
• Often deployed as part of initial access in multi-stage attacks

Consequences:

• Credential theft from browsers, FTP clients, and email platforms
• Risk of account takeover, identity theft, and fraud
• Use of stolen data in follow-up attacks, including ransomware or BEC scams
• Resale of stolen credentials on underground marketplaces

---

4. Technical Details

Payload Capabilities:

• Steals:
  • Saved browser passwords and session cookies
  • Email and FTP credentials
  • Clipboard and keylogging data
• Captures screenshots and sends them to a remote C2
• Injects into legitimate processes (e.g., explorer.exe)
• Uses encrypted channels for C2 communication

Evasion Techniques:

• Obfuscated and packed to evade antivirus
• Uses code injection and process hollowing for stealth
• Frequently updated by authors to stay ahead of detection
• Removes itself if running in a virtualized or sandboxed environment

---

5. Preventing FormBook Infections

Best Practices:

• Avoid opening email attachments from unknown senders
• Block macros and scripting in Office by default
• Do not download software from untrusted or cracked sources
• Enable multi-factor authentication (MFA) wherever possible
• Use strong, unique passwords and avoid storing them in browsers

Recommended Security Tools:

• Endpoint security with real-time protection and behavioral detection
• Email filters that scan for malicious documents and executables
• DNS-layer protection to block known C2 infrastructure
• Application allowlisting to limit what runs on endpoints

---

6. Detecting and Removing FormBook

Indicators of Compromise (IoCs):

• Suspicious executable files in %AppData%, %Temp%, or %LocalAppData%
• Registry keys for persistence with random or misleading names
• Outbound traffic to known FormBook C2 servers
• Abnormal process behavior like code injection or credential access attempts

Removal Steps:

1. Use a modern antivirus or EDR to perform a full scan
2. Delete identified payloads and associated registry keys
3. Reset all credentials used on the infected machine
4. Monitor for secondary infections that may have been dropped alongside
5. Reimage the system if full cleanup cannot be guaranteed

Professional Help:
If sensitive data was stolen or lateral movement is suspected, engage an incident response team for containment and forensics.

---

7. Response to a FormBook Infection

Immediate Steps:

• Disconnect the system from the network
• Remove malware and clean up persistence entries
• Reset credentials, notify affected services
• Check for additional malware or follow-on payloads
• Document the incident and update security policies accordingly

---

8. Legal and Ethical Implications

Legal Considerations:
FormBook may result in data breach reporting obligations under laws like GDPR or HIPAA if credentials or PII were compromised. Legal teams should be involved if sensitive or corporate accounts were accessed.

Ethical Considerations:
As a cheap and easy-to-use stealer, FormBook contributed to the commodification of cybercrime, enabling even low-skill attackers to cause significant harm through theft and surveillance.

---

9. Resources and References

• Check Point: What is FormBook Malware?
• FortiGuard Labs, Threat Research Report:
  • Deep Analysis, New FormBook Variant Delivered in Phishing Campaign – Part I
  • Deep Analysis: FormBook New Variant Delivered in Phishing Campaign – Part II
  • Deep Analysis: FormBook New Variant Delivered in Phishing Campaign – Part III
• MITRE ATT&CK Techniques:
  • T1056.001 (Input Capture: Keylogging)
  • T1555.003 (Credentials from Web Browsers)
  • T1566.001 (Phishing: Spearphishing Attachment)
  • T1113 (Screen Capture)
  • S1207 (Malware: Xloader)

---

10. FAQs about FormBook

Q: What is FormBook malware?
A Windows info-stealer that captures keystrokes, screenshots, and saved credentials, sold as malware-as-a-service.

Q: How does it spread?
Primarily via phishing emails with malicious attachments or links.

Q: Is it still active?
The original service was shut down in 2020, but its code lives on in malware like XLoader.

Q: What does it steal?
Passwords, cookies, keystrokes, clipboard data, and screenshots.

---

11. Conclusion

FormBook was one of the most widely used info-stealers of its time, offering powerful surveillance tools in an easy-to-use package. While its core service has been disrupted, the techniques and code it pioneered continue in successor malware. Defending against threats like FormBook means staying alert to phishing attempts, avoiding unsafe downloads, and using robust endpoint protection.

 

 

« Back to the Virus Information Library

« Back to the Security Center