FormBook is an info stealer that spreads in phishing emails. It’s been seen delivered by fake WHO emails about the coronavirus pandemic, fake purchase confirmations, and fake job emails.
In addition to stealing information, FormBook can download and execute commands and files on the infected device. Therefore, besides being spyware, FormBook is also considered a RAT – remote access trojan.
If you suspect that the email you’re reading is a fake, don’t open any files attached to it and don’t click any links in its body.
If you discovered FormBook on your device, remove it and reset your passwords as soon as possible.
Formbook Spyware quicklinks
- How FormBook spyware works
- It steals information
- It spreads in scam emails
- Fake coronavirus messages
- Purchase orders
- Wire transfer confirmation
- How to remove FormBook spyware
- Automatic Malware removal tools
|Problems caused by FormBook
hijacked online accounts,
money lost to unauthorized purchases.
|How spyware spreads
|FormBook is downloaded by malicious files attached to fake emails,
the emails are
|How to remove FormBook
|Use antivirus apps (Spyhunter, others) to find and remove malware,
reset your passwords to protect your accounts.
How FormBook spyware works
It steals information
FormBook is an info stealer. It reads login credentials – usernames and passwords. On top of that, it can also steal payment info, address, contact details, and everything else that you might type into online forms. To get this information, FormBook logs key presses, grabs forms from web browsers, logs clipboard contents, takes screenshots, etc.
In addition to stealing information, FormBook can also function as a backdoor, receiving commands from its command & control server and executing them on the infected computer. This could be used to infect the computer with more malware.
All of this enables the cybercriminals behind FormBook to steal accounts and possibly even make unauthorized purchases if those accounts have a payment method saved. This could also be used to infect the network of a company or an organization.
It can be difficult to notice a FormBook infection. This malware does try to stay stealthy – it hides its files in the Temp folder. It may disable Task Manager and cause the infected computer to restart.
It spreads in scam emails
FormBook is malware as a service. This means that while one team develops this spyware, various groups of scammers and cybercriminals rent it and use it for their own purposes.
These separate groups of criminals come up with their own methods of distributing FormBook. Email spam is a very popular method. Messages with malicious attachments are crafted to encourage readers to open the attachment which downloads the FormBook spyware.
Using deceptive emails might not seem very sophisticated, but it’s an extremely popular method of spreading malicious software. Ransomware programs such as Zeppelin use emails, as do banking trojans like Sphinx.
Fake coronavirus messages
One of the campaigns that promoted FormBook is a fake World Health Organization instructional with the subject “Coronavirus Updates” and the title “Latest updates on coronavirus disease outbreak”. These emails claim to offer a book called My-health.pdf. In reality, the file is an executable that downloads and installs FormBook spyware (Data-Stealing FormBook Malware Preys on Coronavirus Fears).
Not the first time that criminals use coronavirus to spread scams and malware (COVID-19 Email Scams).
Another campaign to spread FormBook spyware uses the subject “Quote needed P.O.”. It’s a short email that asks for a prompt reply and encourages the recipient to check the attached video/slide presentation. The presentation looks like a spreadsheet that could take a while to parse. Meanwhile, in the background, the presentation’s malicious macros download the FormBook malware (New FormBook Variant Delivered in Phishing Campaign).
This email could be especially effective against company employees who have to deal with purchases regularly.
Wire transfer confirmation
Emails with the subject “Wire transfer confirmation” are also used to distribute FormBook. They say that they attach a bank receipt – which is really a downloader for FormBook (Re: Wire transfer confirmation).
How to remove FormBook spyware
It can be difficult to know whether FormBook or another malicious program has infected your device. But if you notice suspicious symptoms, such as:
- the computer rebooting on its own,
- unfamiliar software being installed,
- unfamiliar internet connections being made,
- your accounts getting hacked,
- unknown purchases being made on your accounts,
- Task Manager not working,
then malware may have infected your computer.
Scan your device with an antivirus program and delete suspicious or malicious items if any are discovered. We like Spyhunter, but any reliable antivirus program works. Antivirus programs detect FormBook downloaders as Trojan, Downloader, some even detect FormBook specifically (Virustotal.com).
Use a clean device to reset your passwords. Make sure that you use multi-factor authentication wherever possible to protect your accounts from being hacked.
In addition, keep an eye on your bank accounts. Contact your bank in case of any problems.
Automatic Malware removal tools