The spread of a new malware designed to steal sensitive information is being targeted at critical cyber infrastructure belonging to organizations in the aerospace and manufacturing sectors, as well as defense contractors in South Korea and the United States.

Researchers at cybersecurity firm FireEye first discovered the attack, which has been dubbed FormBook. The attack is capable of stealing clipboard contents, log keystrokes on an infected machine, and extra data from unsecure web browsing sessions.

FormBook hides its nefarious payload in PDF files spread via direct download links, as well as Microsoft Word and Excel files that contain malicious macros that install the malware in the background and archive files that contain .exe installers.

The attack relies on users opening the laced documents or extracting the malware and installing it onto their system. From there, the malware communicates with a command and control server operated by the attackers to coordinate its actions.

The threat actors can instruct the malware to conduct any number of actions, including recording passwords used by the victim and stealing cookies that reveal web browsing activity. The attackers can also use the malware’s lock on the system to start processes and shutdown or reboot the machine without user permission.

FireEye researchers warned the usernames and passwords harvested by the malware, as well as other information stolen from the machine could be used by the attackers to carry out a number of other exploits, from identity theft and bank fraud to phishing operations and extortion attempts.

Given the threat profile of the targets of the attack, it is also possible the attack could lead to the compromise of other valuable information, including sensitive documents held by defense contractors that work with government agencies in the U.S. and South Korea. A recent hack of an NSA contractor that resulted in the theft of highly classified documents highlights the potential threat of such an attack.

“It also features a persistence method that randomly changes the path, filename, file extension and the registry key used for persistence. The malware author does not sell the builder, but only sells the panel, and then generates the executable files as a service,” the researchers explained.

The researchers who discovered the attack said FormBook is not necessarily unique in how it behaves nor how it spreads but presents considerable trouble for targets because it is widely available through dark web markets and hacking forms, is affordable and doesn’t require high-level skills to carry out an attack.

FormBook has been available on sale since at least 2016 and has been updated to include a remote access trojan (RAT) called NanoCore that was first identified in 2013. NanoCore was once exclusively available through dark web markets and its creator was arrested earlier this year.

While South Korea and the U.S. has been the primary target for FormBook, the attack has been identified in a number of other countries including Australia, France, Germany, Hungary, the Netherlands, Poland, Russia Ukraine and the United Kingdom.​