FormBook is a highly prevalent Information Stealer (InfoStealer) and Form Grabber that has been sold as Malware-as-a-Service (MaaS) on underground hacking forums since 2016. It is explicitly designed to harvest sensitive user data, including login credentials, banking details, and personal information, directly from the memory of web browsers and other applications before it is encrypted and sent over the network.
Infection Vector and Technical Capabilities
FormBook operators rely almost exclusively on massive phishing and malspam campaigns. Lures typically impersonate shipping companies (DHL, FedEx) or financial institutions, containing malicious attachments (PDFs, DOCX with macros, or executable files disguised as invoices).
Its technical operation focuses on comprehensive data theft:
API Hooking (Form Grabbing): FormBook's core capability is hooking Windows APIs (like `HttpSendRequest` or `NtWriteFile`). This allows it to intercept "forms" (like a login page on a banking site) and steal the username and password *as the user types them*, bypassing HTTPS encryption.
Comprehensive Stealing: Beyond form grabbing, it actively steals saved passwords from browser credential stores (Chrome, Firefox, Edge), FTP clients (FileZilla), and email clients (Outlook). It also features built-in keylogging and clipboard monitoring capabilities.
Defense Evasion: The malware often uses process injection (e.g., injecting into `explorer.exe` or `svchost.exe`) to hide its activity and communicates with its Command and Control (C2) server using custom, obfuscated HTTP requests designed to blend in with normal web traffic.
Threat Assessment
A FormBook infection is a severe data breach. The immediate threat is the total compromise of every account the user accesses from the infected machine, leading directly to financial fraud, Business Email Compromise (BEC), and potential corporate network breaches if VPN credentials are stolen.
Incident Response and Remediation
Mandatory Credential Reset: The absolute highest priority is an immediate, global password reset for all accounts associated with the compromised user, especially Active Directory, webmail, and banking portals.
MFA Enforcement: Ensure strict Multi-Factor Authentication (MFA) is enforced across all external-facing corporate portals to neutralize the threat of the stolen credentials being reused by the attackers.
EDR Triage and Eradication: Utilize Endpoint Detection and Response (EDR) to trace the execution chain, kill the injected processes, and remove the FormBook executable and its persistence mechanisms (typically Registry `Run` keys).
Known aliases
Threat reports may refer to this family under multiple names:
Public indicators drawn from CISA advisories and vendor reporting. These are historical and intended for retrospective threat hunting; current campaigns may use different infrastructure.
Delivery vectors
Phishing with RAR/ZIP/ISO attachments
Office documents using CVE-2017-11882
GuLoader and Snake-Loader downloaders
Network indicators
HTTP POST to compromised WordPress sites acting as C2 gates
Domain rotation with randomized URI paths
Beacon every 60-120 seconds
Persistence mechanisms
Process hollowing into explorer.exe or signed Windows binaries
Run keys with randomized names
No on-disk artifact in some campaigns (memory-resident)
Detection Guidance
Detection ideas drawn from public reporting. Tune to your environment before deploying.
Suricata FormBook C2 ruleset
EDR rule for process hollowing of explorer.exe at startup
YARA rule FormBook_Stealer
Generated Detections (Boilerplate)
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.