Deep Analysis: FormBook New Variant Delivered in Phishing Campaign – Part III
When FormBook starts in a target process, it loads an ntdll.dll module and then overrides its data with the deployed FormBook malware. This disguises FormBook as an ntdll.dll module when it runs.