Formbook is an old infostealer, more exactly form-stealer, and keylogger that has now added Mac users to its target list. Apparently, the malware is being sold for as little as $49 on underground forums, enabling cybercriminals to perform various malicious operations.
Formbook/XLoader Malware: an Easy-to-Use MaaS
The infostealer is not only cheap but it is also easy to use. It comes in the form of malware-as-a-service (MaaS), making it very simple to configure and deploy. The discovery comes from Check Point researchers.
“Formbook is currently one of the most prevalent malware. It has been active for more than 5 years already. Check Point reported in December 2020 that Formbook affected 4% of organizations worldwide and made it to the top 3 list of the most prevalent malware,” the report says. It is noteworthy that a newer strain of the Formbook malware has been detected in the wild. Called XLoader, this newer, rebranded version appeared in 2020, shortly after Formbook disappeared from underground markets.
The original idea of Formbook was for it to be a simple keylogger. However, customers noticed its potential as a universal tool which can be deployed in spam campaigns against organizations worldwide. “As this potential became a reality, the author stopped sales of the product without giving detailed explanations about the motives behind this decision,” Check Point explains.
Shortly after its sudden disappearance, the malware resurfaced in a new shape. XLoader is now available for sale in a specific underground forum by a different avatar. “XLoader opened up several new opportunities, with the ability to operate in the macOS being one of the most exciting. XLoader’s story is on-going, and judging by the popularity of the malware, shows no signs of ending any time soon,” the report says.
The interest in the malware is quite astonishing. During the 6 months between December 1, 2020 and June 1, 2021, Check Point saw Formbook/XLoader requests from as many as 69 countries, or more than a third of the total 195 countries recognized in the world today.
Previous XLoader Campaign Targeted iOS and Android Users
In 2019, security researchers detected an XLoader campaign set against iOS and Android users. In the case of the Android version, hackers were targeting Twitter user profiles for its C&C operations. The versions for Android and iOS could also gather extensive information, including all kinds of hardware parameters and data that can identify the device owners. The campaign was based on the delivery of fake banking and gaming apps.