Formbook Malware Detection Guide
Behavioral Indicators
Formbook exhibits several distinct runtime behaviors that can be detected through process monitoring and API call analysis. Upon execution, the malware typically injects its payload into legitimate processes to evade detection. Common injection targets include explorer.exe, svchost.exe, and browser processes like chrome.exe or firefox.exe. Monitor for process hollowing where a legitimate process is spawned in a suspended state, its memory is unmapped, and malicious code is written into its address space before resuming execution.
The malware performs extensive credential harvesting through API calls to access browser password databases, email client credentials, and FTP client configurations. Look for processes making unusual calls to CryptUnprotectData, CredEnumerate, and InternetQueryOption APIs. Formbook also captures clipboard data by frequently calling GetClipboardData and monitors keyboard input through low-level keyboard hooks via SetWindowsHookEx.
Formbook scans for specific file types including documents, spreadsheets, and images for exfiltration. It enumerates directories and uses file search patterns like *.pdf, *.doc*, *.xls*, and *.jpg. The malware terminates security processes and disables security software using attempts to stop services and processes related to antivirus and endpoint protection solutions.
Network Indicators
Formbook communicates with command and control (C2) servers using HTTP/HTTPS protocols with distinctive patterns. The malware typically sends initial beaconing requests containing system information encoded in the URL parameters or POST data. Beacon intervals often follow a pseudo-random pattern between 30 seconds and 5 minutes to avoid simple timing-based detection.
DNS queries often resolve to newly registered domains with algorithmically generated names or domains using free dynamic DNS services. Look for queries to domains with random alphanumeric subdomains or domains that follow patterns like [a-z0-9]{8,12}\.(tk|ml|ga|cf|gq).
Exfiltration occurs through HTTP POST requests with data encoded using Base64, XOR, or custom encryption. The User-Agent strings in Formbook communications often mimic legitimate browsers but may contain subtle anomalies or outdated versions. SSL/TLS certificates used by C2 servers frequently show signs of being self-signed or issued by non-trusted certificate authorities.
Data exfiltration signatures include large outbound HTTP POST requests containing structured data with system information, followed by smaller periodic status updates. The malware may use image steganography for data exfiltration by embedding stolen information within seemingly normal image files uploaded to compromised websites.
File System Artifacts
Formbook drops multiple files in various locations to establish persistence and facilitate data collection. Initial droppers are often named with benign-sounding titles like document.pdf.exe or invoice.scr to trick users into execution. The malware creates copies of itself in temporary directories with random names following patterns like %TEMP%\[a-z0-9]{8}.exe or %APPDATA%\[RandomFolderName]\svchost.exe.
Formbook creates configuration and data files in application data folders, typically under %APPDATA%, %LOCALAPPDATA%, or %PROGRAMDATA%. Look for directories with names like Microsoft, Windows, or System32 created in non-standard locations. The malware may create log files containing harvested credentials and system information, often with extensions like .tmp, .dat, or .log.
Temporary files created during execution include decrypted payloads and configuration data. These are often stored in %TEMP% with names like ~tmp[0-9]{4}.tmp or similar patterns. Formbook may also drop DLL files in system directories or alongside executable files for side-loading attacks.
Registry and Persistence Mechanisms
Formbook employs multiple persistence mechanisms to survive system reboots. Common registry modifications include creating Run keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run. The malware often uses legitimate-looking names for these entries, such as Windows Update, SecurityHealth, or OneDrive.
The malware creates scheduled tasks through the Windows Task Scheduler with triggers set for system startup, user login, or specific time intervals. Task names often mimic legitimate system tasks and may include references to updates, maintenance, or security scanning. Look for tasks with high privileges (SYSTEM level) that execute from user writable locations.
Formbook may establish persistence through browser extensions or Office add-ins by modifying registry keys related to browser helper objects or Office trusted locations. The malware sometimes uses file association hijacking by modifying keys under HKCR\[filetype]\shell\open\command to execute malicious code when specific file types are opened.
Service creation is less common but may occur in some variants, with services named to resemble legitimate Windows services. These services typically have descriptions copied from real services but execute from non-standard paths.
YARA Rule Guidance
When creating YARA rules for Formbook detection, focus on both string-based and structural characteristics. Formbook samples often contain specific API function names used for injection and credential harvesting, including VirtualAllocEx, WriteProcessMemory, CreateRemoteThread, and CryptUnprotectData. Look for these strings in both plaintext and obfuscated forms.
The malware frequently uses custom encoding routines with hardcoded XOR keys. Search for sequences of XOR operations with immediate values, particularly in the range 0x00 to 0xFF. Formbook often contains configuration data structures with field delimiters like pipe characters (|) or custom markers.
String obfuscation techniques include simple character substitution, Base64 encoding, and XOR encryption with single-byte keys. Look for loops that perform byte-by-byte transformation of strings followed by API calls. Formbook samples may contain references to specific file paths where it stores stolen data, including patterns like \AppData\Roaming\ followed by folder names.
PE structure characteristics include typical packer signatures, with many samples showing section names like .text, .data, and .rsrc but with unusual section sizes or entropy values. The import table often contains a limited set of API functions focused on process manipulation, network communication, and file operations.
For current samples and indicators of compromise, refer to: