FormBook is an information-stealer malware that has been active since 2016. The info-stealer malware’s capabilities include stealing credentials, capturing screenshots of victim’s desktop, monitoring clipboard, keystroke logging, clearing browser cookies, downloading and executing files, uploading and removing bots, launching commands via ShellExecute, downloading and unpacking ZIP archive, rebooting and shutting down the system. The attackers behind these email campaigns used a variety of distribution techniques to deliver the FormBook info-stealer, including PDFs, Office Documents, ZIP, RAR, ACE or ICO attachments, as well as shortened URLs.
The lure for this particular infection was a malicious Excel spreadsheet. The initial infection happened immediately after enabling macros. Post-infection traffic was sent to several different domains using URL patterns. Data stolen by Formbook included a screenshot of infected lab host, along with keystroke logs, application passwords, sensitive data from the browser chache, and information contained in the clipboard. This data is temporarily stored in a randomly-named folder under the infected user’s AppData\Roaming directory. These artifacts are deleted after the data is exfiltrated through Formbook command and control (C2) traffic.