May 8, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Severity
Medium
Analysis Summary
FormBook is an infostealer malware that was first identified in 2016. It tracks and monitors keystrokes, finds and accesses files, takes screenshots, harvests passwords from various browsers, drops files, and downloads, and executes stealthier malware in response to orders from a command-and-control server (C2).
Formbook is known for its versatility, as it can be customized to target specific systems or applications. It is also designed to evade detection by security software, using techniques such as code obfuscation and encryption.
It disguises its original payload and injects itself into legitimate processes to avoid detection and complicate the removal process. The cybercriminals behind these email campaigns used a variety of distribution techniques to deliver this malware, including PDFs, Office Documents, ZIP, RAR, etc. This malware was used by cyber threat actors to attack Ukrainian targets in 2022 during the conflict between Russia and Ukraine. Currently, it is believed that the virus known as XLoader is Formbook's successor.
To protect against Formbook and other malware, it is important to keep software up-to-date, use strong passwords, and be cautious when downloading software or opening email attachments. Antivirus and anti-malware software can also help detect and remove Formbook infections.
Impact
- Credential Theft
- Data Theft
- Keystroke Logging
Indicators of Compromise
MD5
3dc44c60e24e85b291de3302c1441941
c525fc92fe169a540fb7e55f2332004b
f37ddc76c4a7d9af147ada74837600b8
47ef1a2a23b9c3eb97fd33fca5d1de5c
SHA-256
a423eb9280e135ccc75f493b7bcbda41bdc49ecdb58741c0fada0ef482c40989
86e6d08925f5b61ce014c43af3e247df1ae6bff68d3fdb01187000c82fb5e916
d84cb707c6d77716cac7466159ed05070475bf344d18716c2daa50e7b7dcc43a
c4587576aaa70addc45c127d1ba4007635887f34dbfd6be08dcf06dbe7ec42e1
SHA1
748f48b584ae1adea2d13df0c3bf333e1f09887e
934e90c5a23a67d554e9b52bafa6292ff2a65fb9
02e1ebe3c02d4bc6c2aa1adbd9fe8c70e3ed6d07
efc9b6d9b0114efefc4756f2d1ce514b9bbaabde
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
- Regularly backing up your important data can help ensure that you don't lose any critical information in the event of a malware infection or other data loss event.
- Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
- Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that could be exploited by malware.
