Deep Instinct Warns that FormBook Malware has Reemerged and Is Targeting the Hospitality Industry
The cybersecurity company Deep Instinct said in a recent blog post that it has detected a substantial resurgence of FormBook. FormBook is an info-stealer malware which first appeared as early as 2016. FormBook is currently attacking retail and hospitality businesses in the United States. Additional threat intelligence indicates attacks are not limited to the U.S.A.
How does it work? FormBook uses Rich Text Format (RTF) documents, leveraging recent Word vulnerabilities as droppers. These are often missed by typical security solutions. FormBook’s infection chain starts with a phishing e-mail containing a malicious attachment, which is usually an Office document or a PDF file. Once this payload is dropped and executed, it will copy itself to and then proceed to scan the system for stored passwords in browsers and various other applications and send the stolen information back. It will also take a screenshot of the victim’s desktop, along with monitoring all browsers for user-typed passwords and will grab and steal those as well. It will also act as a key logger and maintain a log of the user’s keystrokes.
Deep Instinct discovered it’s using a new file hosting service called DropMyBin used to spread malware. It was registered very recently, just within the last few days, and is already being discussed and shared in underground hacking forums as a recommended service for hosting and serving malware. Deep Instinct says it strongly suggests employing a zero-trust policy with respect to the service DropMyBin until other information becomes available.