FormBook targets Windows systems and has been offered for years as malware-as-a-service. Research from WatchGuard now shows that attackers have improved their approach. They no longer rely on a single fixed method but combine multiple steps and different ways to infect systems. As a result, traditional security measures are less effective. In one case, they abuse ordinary software to load a malicious file. In another case, they use a heavily encrypted script that ultimately installs FormBook.
DLL side-loading
In the first method, attackers use a technique known as DLL side-loading. The attachment, for example, a RAR file, contains a legitimate program. Additionally, there is a malicious DLL file with the same name as a file the program expects. Once the program starts, it loads not the real file but the malicious version. This then places the FormBook payload in a temporary folder and executes it. Because the attack uses legitimate software and trusted Windows tools like PowerShell, it is harder to recognize.
Encrypted script file
In the second method, victims receive a file that looks like a pdf but is actually a JavaScript file. Once opened, the script prepares additional files through multiple steps and calls PowerShell to initiate the next phase of the infection. Techniques such as AES encryption, Base64 encoding, and a custom loader are combined to execute the final payload. According to WatchGuard, this loader has previously been linked to other malware families but was used in this campaign to spread FormBook.
Worrying developments
WatchGuard finds it particularly concerning that attackers use multiple infection routes for the same malware. By combining ordinary tools, encrypted scripts, and custom loaders, an attack emerges that is difficult to recognize. Organizations can no longer rely solely on detecting individual files or known malware signatures.
International observations
WatchGuard has already seen these campaigns at companies in Greece, Spain, Slovenia, Bosnia, Croatia, and various countries in Latin America. The threat is thus already active in multiple regions and languages. According to the company, this shows how easily this approach can spread further.
For Dutch companies, this is a clear warning. The topics used in the phishing emails, such as payments, orders, and quotes, also align well with daily processes here. This increases the likelihood that similar emails will also appear in the Netherlands and seem legitimate. Moreover, since the attack exploits trusted software and system processes, there is a risk that security teams will only discover an infection late.
Detecting anomalous behavior
Martijn Nielen, senior sales engineer at WatchGuard Technologies, says: "Organizations should not only focus on known malware signatures or isolated indicators. Especially in this type of attack, it is important to centrally correlate signals from email, endpoints, and network activity so that anomalous behavior becomes visible more quickly and can be followed up appropriately. In practice, we see that organizations benefit from as much automated monitoring, analysis, and response as possible, and where necessary, additional support from an external security partner.
