Back in 2016 a keylogger and form-collector malware named FormBook was first offered for sale on underground hacker forums in a MaaS (Malware-as-a-Service) scheme. The price for the lowest available tier was extremely low and FormBook began growing in popularity. When cybercriminals discovered just how easy it was to proliferate the keylogger via spam email campaigns, it boosted FormBook's even further with the malware family climbing up to the third spot, below the Emotet and TrickBot malware families, according to Check Point Research. This particular use of the threat was not approved by its creator and in 2018 FormBook was taken off the forums and went dark.
Last year, however, Check Point discovered that a newer, more sophisticated malware based on FormBook is being offered for sale on the same hacker forum. The threat is named XLoader and it possesses vastly expanded data-stealing capabilities. Its most impressive feature is the ability to infect macOS systems. According to Apple, there were around 100 million macOS users, which represents a massive pool of potential victims.
The XLoader Infostealer threat is again offered for sale in the form of MaaS with the price going as low as $49. Due to its incredibly straightforward and simple operational needs, even wannabe cybercriminals with extremely basic technical knowledge can get their hands on it and start using a serious malware threat. Currently, XLoader appears to be spread via bait emails containing weaponized Microsoft Office documents. As for its victims, over 53% of the targets are located in the U.S. and they include both Windows and macOS systems. Xloader's stealthy nature makes it hard to be detected manually by normal users. If you suspect that your system has been infected, the best course of action is to use a professional anti-malware solution to scan the system for potential threats.
It should be noted that despite the similar name, the XLoader infostealer has no connection to the XLoader (Roaming, MoqHao) Android malware that acts as a backdoor and employs DNS (Domain Name System) spoofing to spread infected Android applications.