Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
FormBook is an information stealing trojan which gathers passwords from various applications such as web browsers and email clients. It might also steal additional information by logging keystrokes.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
Upon launch, FormBook launches regsvcs.exe and creates a new process. FormBook then injects malicious code into the new process. FormBook has also been observed launching and injecting malicious code into the following processes:
ipconfig.exe
cscript.exe
chkdsk.exe
wlanext.exe
Keylogging behavior
FormBook also acts as a keylogger to log user’s inputs. The inputs are saved in the log.ini file.
Stored password extraction
FormBook can extract stored passwords from the following web browsers:
Chrome
Edge
Internet Explorer
Firefox
AVG Browser
Kinza Browser
URBrowser
AVAST Browser
SalamWeb Browser
CCleaner Browser
Opera Browser
Opera Neon Browser
Yandex Browser
Slimjet Browser
360 Chrome Browser
Chrome Plus Browser
Chromium Browser
Torch Browser
Brave Browser
Iridium Browser
7star Browser
Amigo Browser
Blisk Browser
CentBrowser
Chedot Browser
Coc Coc Browser
Elements Browser
Epic Privacy Browser
Kometa Browser
Orbitum Browser
Uran Browser
Sleipnir5 Browser
Citrio Browser
Coowon Browser
Liebao Browser
QIP Surf Browser
Vivaldi Browser
FormBook can extract stored passwords from the following email clients:
Thunderbird
Outlook
Command-and-control
FormBook was observed making network connections to the following command-and-control (C2) servers:
Ransomware more than often attacks enterprises than individuals. Following the below mitigation steps can help prevent ransomware attacks:
Keep backups so you can recover data affected by ransomware and destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.
Secure Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA).
Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625).
Turn on attack surface reduction rules, including rules that block ransomware activity and other activities associated with human adversaries. To assess the impact of these rules, deploy them in audit mode.
Utilize the Microsoft Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
Turn on tamper protection features to prevent attackers from stopping security services.
Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
