VB2018 paper: Inside Formbook infostealer

Gabriela Nicolao

Deloitte, Argentina

Copyright © 2018 Virus Bulletin



Formbook [1] is an infostealer that has been advertised for sale in public hacking forums since February 2016 by a user with the handle 'ng-Coder'. It is more advanced than a keylogger as it can retrieve authorization and login credentials from a web data form before the information reaches a secure server, bypassing HTTPS encryption. Formbook is effective even if the victims use a virtual keyboard, auto-fill, or if they copy and paste information to fill the form. The author of Formbook affirms that it is 'browser-logger software', a.k.a. form-grabbing software. Formbook offers a PHP panel, where the buyers can track their victims' information, including screenshots, keylogged data, and stolen credentials. Hosting and domain services are provided for low prices with a bin only available in the Pro version.

Formbook was used in a spam campaign in late 2017, targeting the aerospace, defence contractor and manufacturing sectors in South Korea and the USA. It includes hiding, persistence, anti-analysis, deletion and termination mechanisms along with several commands that the C&C (command-and-control) server can receive. The 'ng-Coder' user indicated that Formbook should not be used for malicious purposes and blocked sales until further notice after the spam campaigns became known. According to 'ng-Coder', Formbook should only be used to spy on family members or employees if the user has the explicit right to do so. However, this claim is dubious given the barely legitimate nature of the use of such software.


About formgrabbers

Formgrabbers intercept HTTP(S) data and use inline hooking to redirect the function to one within the formgrabber before transferring the execution flow back to the HTTP function to complete the request. This technique allows formgrabbers to capture a user's information before the user submits it over the Internet to a secure server. While keyloggers focus mainly on capturing the user's input, formgrabbers collect pasted information and/or information selected via a drop-down option, which makes them more efficient than keyloggers.

A formgrabber injects a DLL (Dynamic Link Library) into a browser and monitors for calls to the HttpSendRequest API within WININET.DLL in order to intercept the data before encryption and send all requests to its own code, prior to sending the data onwards. Andromeda (aka Gamarue), Tinba and Weyland‑Yutani BOT are some malware families that use this technique.


Formbook background

Prior to advertising it for sale, a user with the handle 'ng-Coder' offered Formbook for free in public hacking forums so that other users could review it.

Formbook-fig1.jpgFigure 1: First mention of Formbook in a forum.

Soon after the free version was released, the user 'ng-Coder' advertised Formbook for sale at an initial price of 250 USD. However, the author reduced the price to 120 USD in early March 2016 after receiving several complaints about the price from forum members. The current pricing list and payment methods offered in the forum are displayed in Figure 2.

Formbook-fig2.pngFigure 2: Pricing list and payment methods for Formbook.



According to the user 'ng-Coder', Formbook boasts the following features:

  • Coded in ASM/C (x86_x64)
  • Startup (hidden)
  • Full PE-injection (no DLL/no drop/both x86 and x64)
  • Ring3 kit
  • Bin is Balloon Executable (MPIE + MEE)
  • Doesn't use suspicious Windows APIs
  • No blind hook, all hooks are thread safe including the x64, so crash is unlikely
  • All communications with the panel are encrypted
  • Install manager
  • File browsing (FB Connect)
  • Full Unicode support.


Control panel

Formbook works as a botnet, infecting victims that are shown in a web panel in order to manage the information that is retrieved from them. Figure 3 shows the web panel.

Formbook-fig3.jpgFigure 3: Formbook web panel.

Each bot can receive the following commands from the C&C server:

  • Download and execute
  • Update
  • Uninstall
  • Visit URL
  • Clear cookies
  • Restart system
  • Shut down system
  • Force upload keystroke
  • Take screenshot
  • FB Connect (file browsing)
  • Download and execute from FB Connect
  • Update bin from FB Connect



Formbook was used in spam campaigns targeting the aerospace, defence contractor and manufacturing sectors within the US and South Korea in 2017 [2]. It was distributed via PDFs with embedded links, DOC and XLS files with malicious macros, and compressed files containing the executable.

It was also observed in 2018, distributed via emails with DOCX files that contained a URL [3]. This URL downloaded an RTF file that exploits CVE-2017-8570 and drops an executable. This executable downloads the Formbook sample.



The analysed sample is a RAR self-extracting archive (SFX) that contains several files, as shown in Figure 4.

Formbook-fig4.jpgFigure 4: SFX file.

The description to the right of the files shows the following strings:

  • Path=%LocalAppData%\temp\cne
  • Silent=1
  • Update=UcE1U8
  • Setup=axo.exe pwm-axa

Files with a size below 1K contain a few strings that are probably used during decompression.

After executing the SFX file, Formbook extracts the files in %LocalAppData%\temp\cne using CreateDirectoryW. It then deletes the SFX file. Figure 5 shows the file extraction.

Formbook-fig5.pngFigure 5: File extraction.

The axo.exe file is an AutoIt script that is executed with the pwm-axa file as a parameter. Figure 6 shows the properties of the axo.exe file.

Formbook-fig6.pngFigure 6: Properties of the axo.exe AutoIt executable.

The script decrypts Formbook and loads it in memory. In order to do this, it creates a file with a random name that contains Formbook's functionality and deletes it soon after loading it in memory. This file contains 44 functions with obfuscated names. The sni.mp3 file includes interesting strings that were used during the execution, as shown in Figure 7.

formbook-fig7.pngFigure 7: Interesting strings found in the sni.mp3 file.

The script contains the following features:


1. Hiding mechanism

The script changes the cne folder attributes to hide its content by executing the command FileSetAttrib($cne_Folder_Path, "+H").


2. Persistence mechanism

In order to remain persistent, it modifies the Run registry key with a new key named WindowsUpdate that instructs the execution of axo.exe along with pwm-axa:

If IsAdmin() Then
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", $WindowsUpdate, "REG_SZ", $cne_Folder_Path & "\" & $axo.exe & " " & FileGetShortName(FileGetShortName($cne_Folder_Path & "\" & $pwm-axa)))
RegWrite("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", $WindowsUpdate, "REG_SZ", $cne_Folder_Path & "\" & $axo.exe & " " & FileGetShortName($cne_Folder_Path & "\" & $pwm-axa))
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Run", $WindowsUpdate, "REG_SZ", $cne_Folder_Path & "\" & $axo.exe & " " & FileGetShortName($cne_Folder_Path & "\" & $pwm-axa))

Formbook-fig8.jpgFigure 8: Persistence mechanism.


3. Protection disabling and anti-analysis

The script tries to modify the following registry keys:

  • RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
  • RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients")
  • RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0")

And it:

  • Disables Task Manager
  • Turns off the system protection
  • Disables UAC (User Account Controls)

Formbook will terminate if it finds VMware or VirtualBox processes running in the victim's system and if the 'D' drive has space of less than 1MB:

  • VMwaretray.exe
  • Vbox.exe
  • VMwareUser.exe
  • VMwareService.exe
  • VboxService.exe
  • vpcmap.exe
  • VBoxTray.exe
  • If DriveSpaceFree ("d:\") <1 And ProcessExists ([VMWare or VBox]) then Exit


4. Check default browser

The script will check the HKCR\http\shell\open\command registry key to know which Internet browser the victim's machine uses by default.


5. Formbook deletion and termination

Formbook will look for the svshost.exe process and terminate if it finds more than two svshost.exe processes running, as shown in Figure 9.

Formbook-fig9.pngFigure 9: Termination.



Despite Formbook infostealer having been around for a couple of years now, it only came to public attention after it was extensively used in spam campaigns in late 2017. The fact that Formbook wasn't noticed before is probably because its developers didn't release the builder to the public, so it was easy for them to track its activities and turn it off if they found that it was being used for purposes for which it was not intended or if it was gaining too much attention from the security community. Despite not being broadly used, Formbook represents a real threat, due to it being stealthier and more powerful than keyloggers.

Similar to the Agent Tesla remote access trojan (RAT), the author of Formbook initially offered a beta version of the product free of charge in order to receive feedback and make improvements.

The 'ng-Coder' user indicates that Formbook should not be used for malicious purposes, and after the spam campaigns were made public, he blocked Formbook's sales until further notice. According to 'ng-Coder', Formbook should only be used to spy on family members or employees if the user has the explicit right to do so. However, this claim itself is dubious given the barely legitimate nature of the use of such software.



The SHA256 hash of the SFX file that was analysed is: 2f74f8518bd14a882a870f3794a76dba381b59c1e40247a2483468959b572d82.



[1] Schwarz, D. The Formidable FormBook Form Grabber. Arbor Networks, 20 September 2017. https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/.

[2] Villeneuve, N.; Eitzman, R.; Nemes S.; Dean, T. Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. FireEye, 5 October 2017. https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html.

[3] Urgent server alert malspam delivers formbook trojan via CVE-2017-8570 word doc. My Online Security, 16 February 2018. https://myonlinesecurity.co.uk/urgent-server-alert-malspam-delivers-formbook-trojan-via-cve-2017-8570-word-doc.

Download PDF



Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…

Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.