Cheap, easy & prolific, the new version of the old Form Book form-stealer & keylogger has added Mac users to its hit list, & it is selling like hotcakes.
There’s a new version of the old Form Book form-stealer & keylogger that’s added Mac users to its hit list, & it’s selling fast on underground markets for as low as $49.
It is not only cheap; it is easy. The data stealer is distributed in the form of malware-as-a-service (MaaS) & stands out from competing malware by being drop-dead simple to use, outfitting even code dummies with a multipurpose malware tool.
In a report posted on Wed., analysts at Check Point Research (CPR) explained that the new strain of Form Book – which mainly targeted Windows users when it 1st popped up on hacking forums in 2016 – is named XLoader. According to the report, Form Book disappeared from malware markets in 2018, then rebranded to XLoader in 2020.
Over the last 6 months, XLoader’s been busy, targeting Window users & also targeting, “to CPR’s surprise,” Mac user
Steal Log-in Credentials
XLoader licenses start at $49: a price that will get even the most inexperienced & poor cyber-attackers a tool that they can use to steal log-in credentials, collect screenshots, log keystrokes & execute malicious files.
Check Point has tracked XLoader requests flooding in from eager attackers in 69 countries. Most of the targets – 53% – are in the US, including both Mac & Windows users.
Victims are tricked into downloading XLoader via spoofed emails that contain malicious Microsoft Office documents.
As of Dec., as Check Point reported at the time, Form Book was the 3rd most prevalent malware family. It was outpaced only by Emotet at No. 1 (the servers for which were globally dismantled in Jan.) & the Trick Bot banking trojan/ransomware malware, which ranked No. 2.
AnyRun Malware Trends Tracker backs that up: As of Tues. evening, Form Book was ranked 3rd most-spotted sample out of millions in the preceding week, & it was climbing in popularity. From June 2020 & June 2021, AnyRun ranked Form Book as the 4th most prevalent malware family.
This is not what the malware author thought. At 1st, it was just supposed to be a keylogger – a cheap one, at that. At least in 2016, attackers could rent Form Book MaaS for as little as $29/week.
Customers quickly saw its potential to be used in wide spam campaigns for use worldwide, researchers explained. As potential became reality, the author – “ng-Coder,” who Check Point researchers decided is a “he” – stopped selling Form Book.
The author had not wished the tool to be used in email campaigns & had, in fact, seen customers from using it for spam. Ng-Coder made a last post in May 2018, & then the malware maker’s Form Book activity stopped.
This activity went silent. Researchers think that ng-Coder might have had his own plans for his creation, given analysis of domains linked to his email address, ng2coder at gmail.com. 16 unique command-&-control (C2) domains linked to that address were used in Form Book campaigns.
Form Book activity kept coming, but it had a surprise. On Feb. 6, 2020, the rebranded XLoader offshoot was listed for sale in an underground forum – the same one that Form Book was sold on – under a new avatar.
(Check Point notes that XLoader malware for PCs & Mac shouldn’t be confused with XLoader malware for Android [aka Roaming or MoqHao], a backdoor trojan & Android malware that uses Domain Name System (DNS) spoofing to distribute infected Android apps.)
Researchers were intrigued by XLoader’s ability to operate in macOS, which was “one of the most exciting things about the new malware,” they enthused. “With approximately 10m users operating macOS in 2018 (as reported by Apple), this was definitely a promising new market for the malware to enter.”
It entered, given how it is raced up in malware rankings.
Check Point recommends that we can all stop feeding XLoader’s success rate by following some standard-issue precautions for both Mac & Windows users:
- Do not open suspicious attachments.
- Stay off of suspicious websites.
- Use 3rd-party protection software to help identify & prevent malicious behaviour on your computer.
Detection & Removal
As for detection & removal, this malware is very hard to detect, although Any Run does offer the following video for instructions on detecting Form Book. The XLoader offspring does share the same code base as its Form Book predecessor.
You should perhaps leave it up to the pros, the analysts suggested. “Since this malware is stealthy in nature, it is likely difficult for a ‘non-technical’ eye to recognize whether they have been infected,” they thought.
“Therefore, if you suspect you have been infected it would be wise to consult with a security professional or use 3rd-party tools and protections designed to identify, block and even remove this threat from your computer.”
For more technical details to assist in detection and removal, Check Point recommended using the AutoRun feature of Windows Explorer to:
- Check your username in the OS.
- Go to /Users/[username]/Library/Launch Agents directory.
- Check for suspicious filenames in this directory (they gave this random name as an example: /Users/user/Library/LaunchAgents/com.wznlVRt83Jsd.HPyT0b4Hwxh.plist).
- Remove the suspicious file.
PC vs. macOS Malware
Yaniv Balmas, head of cyber research at Check Point, called XLoader “far more mature & sophisticated than its predecessors,” given that it has made itself at home on MacOS computers: an environment that historically has not been cosy for malware.
“MacOS malware hasn’t been that common,” Balmas observed in a statement. “They usually fall into the category of ‘spyware’, not causing too much damage.”
XLoader is just the latest example of how the gap has steadily been closing when it comes to prevalence of PC vs. macOS malware, Balmas continued. “The truth is that MacOS malware is becoming bigger & more dangerous,” he stated. “Our recent findings are a perfect example & confirm this growing trend.”
Bound to Worsen
People like their Macs. So, the malware situation is bound to worsen, Balmas predicted.
“With the increasing popularity of MacOS platforms, it makes sense for cyber criminals to show more interest in this domain, & I personally anticipate seeing more cyber threats following the Form Book malware family. I would think twice before opening up any attachments from emails I get from senders I don’t know.”