Form-grabber malware are nowadays quite common. They provide simple yet effective methods for stealing infected users’ credentials. They are named thereby since they target HTML forms’ submissions, made by web-browsers. Sometimes, they also provide classical password stealer capabilities such as key-logging, or modules designed to take screenshots. Also, they can embed code for harvesting users applications’ passwords, stored on the file-system.
Formbook is a ‘ready-to-use’ form-grabber malware, sold illegally on hacking forums. Thus, it can be used by cyber-criminals who don’t necessary own skills in malware development, although it can still be used by more advanced actors. It comes with a PHP web-application, used to implement the C&C server. It also offers a panel, used to graphically manage infected computers, and visualize stolen data.
In order to evade anti-viruses detection, to detect automated malware analysis environments or to complicate its reverse-engineering, Formbook implements many tricks. It also uses interesting code injection techniques, based on APC injection and thread hijacking, to perform actions like process-creation, from within the context of legitimate windows processes such as explorer. Its ability to migrate from a 32-bit process, running in wow64 compatibility mode, to a native 64-bit process also makes it worth looking at.