Inside Formbook infostealer

Friday 5 October 14:00 - 14:30, Small talks

Gabriela Nicolao (Deloitte)



Formbook is an infostealer that has been advertised for sale in public hacking forums since February 2016 by a user with the handle 'ng-Coder'. It is more advanced than a keylogger as it can retrieve authorization and login credentials from a web data form before the information reaches a secure server, bypassing HTTPS encryption, even if the victim uses a virtual keyboard, auto-fill, or copy and paste to fill the information in the form. The author of Formbook considers it a 'browser-logger software', a.k.a. form-grabbing software. Formbook offers a PHP panel, where the buyers can track their victim's information, including screenshots, keylogged data, and stolen credentials. Hosting and domain services are provided for low prices and a bin is available for the Pro version buyer.

Formbook was used in a spam campaign in late 2017, targeting the aerospace, defence contractor and manufacturing sectors in South Korea and the USA. It includes hiding, persistence, anti-analysis, deletion and termination mechanisms along with several commands the C&C (command and control) server can receive. The 'ng-Coder' user indicates that Formbook should not be used for malicious purposes and, after the spam campaigns became known, blocked sales until further notice. According to 'ng-Coder', Formbook should only be used to spy on family members or employees if the user has the explicit right to do so. However, this claim is dubious given the remotely legitimate uses of such software.

 

Gabriela-Nicolao-web.jpg

Gabriela Nicolao

Gabriela has a degree in information systems engineering from the Universidad Tecnológica Nacional (UTN) and a postgraduate degree in cryptography and teleinformatics security specialization from Escuela Superior Técnica of Facultad del Ejercito in Argentina. She works at Deloitte in the threat intelligence and analytics area. Her tasks include malware analysis, network traffic analysis, incident response and indicators of compromise (IoC) hunting. She has five years of experience in the security field. She is also a teacher at UTN.

@rove4ever


   Download slides    Read paper

Back to VB2018 Programme page

Other VB2018 papers

Panel discussion: Will WHOIS go dark? Threat intelligence in the post GDPR era.

Michael Osterman (Osterman Research)
Norm Ritchie (Secure Domain Foundation)
Tom Bartel (Return Path Data Services)
Mark Kendrick (DomainTools)

The Big Bang Theory by APT-C-23

Lotem Finkelstein (Check Point)
Aseel Kayal (Check Point)

Workshop: Manual kernel mode malware analysis

Vanja Svajcer (Cisco Talos)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.