New FormBook Variant Targets Users in the Wild

April 16, 2021 · 3 min read

Security researchers from FortiGuard Labs have uncovered a new FormBook variant being delivered in a massive phishing campaign. Particularly, adversaries target users with malware-laced Microsoft PowerPoint documents disguised as a follow-up to the recent purchase order. Those who fell for the bait of scammers got their devices infected with a notorious data-stealing malware. 

New FormBook Phishing

The infection starts with a phishing email masquerading as a reply to the recent request for a purchase order. The fake message prompts victims to open an attached PowerPoint document allegedly containing additional brochures and price details. Notably, the file is delivered with a .pps extension, which pushes PowerPoint software to open it in a slide view instead of the traditional edit mode predefined by the .ppt file extension. 

In case a user was tricked to open the malicious file and search through the batch of slides, a VBA script executes in the background to run a Macro function. This, in turn, triggers the PowerShell code aimed at loading a dedicated .Net file. This file is further transferred through three highly obfuscated and encrypted .Net modules, the last of which downloads the final FormBook payload. 

Malware Overview

FormBook is an infamous data-stealing and form-grabber malware that has been active since at least 2016. It is actively sold on the underground forums as “malware-as-a-service,” so anybody can buy a subscription to launch a malicious campaign. Particularly, the malware is offered as a PHP control panel, with broad customization options for settings and features.

Formbook usually relies on malspam for distribution and leverages malicious attachments to drop its payload. Upon infection, the malware is able to perform a vast array of functions, including credentials dumping, screenshots capturing, clipboard monitoring, keystrokes logging, clearing browser cookies, downloading and executing files, rebooting and shutting down the system, and more.

Since its emergence, FormBook has been involved in several loud malicious campaigns, including the attack against US and South Korea aerospace, defense, and manufacturing industries in 2017, the campaign against US and Middle East information services and financial sectors in 2018, and COVID-19 phishing campaign in 2020.

New FormBook Variant Detection

Proactively defend from a new FormBook variant phishing with a community Sigma rule from our keen Threat Bounty developer Osman Demir 

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, FireEye Helix

EDR: Carbon Black, Sentinel One, Microsoft Defender ATP


Tactics: Execution, Initial Access

Techniques: Command-Line Interface (T1059), Spearphishing Attachment (T1566)

You can also check the full list of FormBook detections already available in Threat Detection Marketplace. Stay tuned to our blog for further updates!

Subscribe to Threat Detection Marketplace for free and boost your cyber defense capabilities with 100K+ detection and response rules, parsers, search queries, and other SOC content mapped to CVE and MITRE ATT&CK® frameworks. Keeping a close eye on the latest cybersecurity trends and want to participate in threat hunting activities? Join our Threat Bounty Program!

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts