Site navigation

Formbook Malware Takes Top Spot in Threat Index

Michael Behr


Formbook malware
The malware has been spread through Covid-19 phishing emails to computers where it steals the victim’s credentials.

Formbook, an information stealing trojan, has become the most prevalent form of malware, according to Check Point Research’s (CPR’s) latest Global Threat Index.

Researchers found in August that Formbook took over from botnet and banking trojan Trickbot, which has fallen into second following a three-month long reign.

Formbook was the most popular malware for the month, impacting 4.5% of organisations globally. Trickbot and Agent Tesla impacted 4% and 3% of organisations worldwide respectively.

First seen in 2016, Formbook is an infostealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its command and control (C&C) orders.

Recently, Formbook was distributed via Covid-19 themed campaigns and phishing emails, and in July 2021, CPR reported that a new strain of malware derived from Formbook, called XLoader, is now targeting macOS users.

“Formbook’s code is written in C with assembly inserts and contains a number of tricks to make it more evasive and harder for researchers to analyse,” said VP of Research at Check Point Software Maya Horowitz.

“As it is usually distributed via phishing emails and attachments, the best way to prevent a Formbook infection is by staying acutely aware of any emails that appear strange or come from unknown senders. As always, if it doesn’t look right, it probably isn’t.”

Meanwhile, banking trojan Qbot dropped from the list all together. According to CPR, Qbot’s operators are known to take breaks during the summer.

Remcos, a remote access trojan (RAT), entered the index for the first time in 2021, ranking in sixth place.


According to CPR, the most commonly exploited vulnerability was “Web Server Exposed Git Repository Information Disclosure”, an information disclosure vulnerability that has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information. It impacted 45% of organisations globally.

It was followed by “HTTP Headers Remote Code Execution” which affects 43% of organisations worldwide. The HTTP headers exploit allows the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.

“Dasan GPON Router Authentication Bypass” takes third place in the top exploited vulnerabilities list, with a global impact of 40%. This authentication bypass vulnerability exists in Dasan GPON routers.

“Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorised access into the affected system.

Michael Behr

Senior Staff Writer

Latest News

Cybersecurity Finance
Cybersecurity Editor's Picks
Climate Editor's Picks Energy Featured
%d bloggers like this: