Full Report
2025-05-27 • Fortinet • Xiaopeng Zhang • win.formbook Open article on Malpedia
Analysis Summary
# Tool/Technique: FormBook
## Overview
FormBook is an information-stealing malware primarily designed to harvest sensitive data from infected systems, often distributed via phishing campaigns.
## Technical Details
- Type: Malware family
- Platform: Windows
- Capabilities: Stealing credentials, keystroke logging, clipboard capturing, form grabbing.
- First Seen: Not explicitly provided in the context, but it is a known, established malware family.
## MITRE ATT&CK Mapping
*(Note: Specific ATT&CK mappings are not detailed in the provided snippet. The following are general mappings based on the known nature of FormBook as an infostealer.)*
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1056 - Input Capture
- T1056.001 - Keylogging
- T1003 - OS Credential Dumping
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (for exfiltrating data)
## Functionality
### Core Capabilities
- Information stealing from web browsers and applications.
- Capturing user input (keystrokes).
- Harvesting clipboard contents.
### Advanced Features
- Form grabbing (stealing data entered into web forms).
- Exfiltration of collected data to Command and Control (C2) infrastructure.
## Indicators of Compromise
*(Note: Specific IoCs (Hashes, filenames, network indicators) are not provided in the context summary snippet. These would be detailed in the full article.)*
- File Hashes: [Not detailed in context]
- File Names: [Not detailed in context]
- Registry Keys: [Not detailed in context]
- Network Indicators: [Not detailed in context, C2 details would be present in the full article]
- Behavioral Indicators: Attempts to read sensitive files, network connections to obscure IPs/domains for data exfiltration, injection into legitimate processes.
## Associated Threat Actors
- Various cybercriminal groups commonly use FormBook due to its availability and effectiveness in targeted or broad phishing campaigns. (Specific actors are not named in the snippet).
## Detection Methods
- Signature-based detection for known FormBook binaries/mutations.
- Behavioral detection focusing on API calls related to credential access (e.g., reading credential stores, hooking input functions).
- YARA rules targeting unique strings or structure within the malware payload.
## Mitigation Strategies
- User education on recognizing and avoiding phishing attempts (the primary delivery mechanism).
- Implementing robust email filtering to block malicious attachments or links.
- Application control to prevent unauthorized executable execution.
- Monitoring outbound network traffic for unexplained large data transfers to suspicious remote hosts.
## Related Tools/Techniques
- Other established infostealers such as Vidar, Agent Tesla, and RedLine Stealer.
- Phishing frameworks used for initial access.