Follow on X RSS Feed
Malware

Infostealer FormBook Exploits Phishing to Steal Credentials and Deploy Malware

Cybersec Sentinel

6 min read
Infostealer FormBook Exploits Phishing to Steal Credentials and Deploy Malware

Threat Group: Multiple Threat Actors (Malware as a Service)
Threat Type: Infostealer / Downloader / Trojan
Exploited Vulnerabilities: Primarily relies on social engineering and malicious attachments. Occasionally used to deliver secondary payloads that exploit known CVEs.
Malware Used: FormBook (rebranded as XLoader)
Threat Score: 🔴 High (8.0/10) due to extensive use across industries, advanced stealth techniques, downloader capabilities, and cross platform functionality
Last Threat Observation: April 22, 2025

Overview

FormBook, first identified in 2016, is a highly prevalent infostealer malware family that evolved into a sophisticated threat under the name XLoader. Distributed through a thriving Malware as a Service (MaaS) ecosystem, FormBook and XLoader enable a broad range of cybercriminals. These include novices and experienced operators who conduct credential theft, surveillance, and data exfiltration campaigns at scale. Its low cost and strong functionality contribute to its persistent popularity.

The malware steals browser credentials, logs keystrokes, captures clipboard content, screenshots, and data from web forms. XLoader, the evolved variant since 2020, introduced native macOS support and regularly integrates new obfuscation and evasion capabilities. Threat actors deploy it through phishing emails that usually contain macro enabled Office documents, compressed archives, PDFs, or malicious URLs.

The MaaS model and cross platform compatibility ensure continued relevance. XLoader remains among the most prevalent infostealers globally as of 2025.

Key Details

Delivery Method: XLoader is distributed mainly through phishing campaigns that exploit user trust and social engineering. The delivery mechanisms include:

  • Microsoft Office documents (DOC, DOCX, XLSM) embedded with malicious macros. These macros execute scripts to retrieve the payload when a user enables editing.
  • Compressed archive formats such as ZIP, RAR, and ISO. These often contain hidden or disguised executables, scripts (JavaScript or VBScript), or LNK shortcut files that trigger malware execution.
  • PDFs that contain hyperlinks leading to download sites hosting the malicious payload.
  • Java Archive (JAR) files targeting macOS users, sometimes leveraging tools like XBinder to bundle cross-platform malware in a single file.
  • Links in emails leading to fake file-sharing pages or update alerts designed to trick users into downloading and executing the malware.

Target: The targeting strategy is both opportunistic and widespread. XLoader campaigns have been observed impacting:

  • Government agencies
  • Aerospace and defense contractors
  • Healthcare institutions and private practices
  • Educational institutions and universities
  • Retail and wholesale businesses
  • Critical infrastructure providers, including energy and transportation

Geographically, these campaigns affect North America, Europe, Asia Pacific, and Latin America. Specific targeting has been observed in politically volatile regions, such as Ukraine, suggesting flexibility in operator goals depending on affiliates.

Functions: FormBook and XLoader offer a robust set of data theft and surveillance capabilities:

  • Steals login credentials stored in web browsers, FTP software, and email clients
  • Captures user keystrokes and clipboard data for real-time theft of passwords and private communication
  • Takes screenshots of user activity to reveal sensitive data displayed on screen
  • Intercepts data submitted in HTML forms, including login fields and payment forms
  • Receives and executes additional malicious payloads, such as RATs, ransomware, or other stealers
  • Deletes traces of its own activity by cleaning up temporary files after exfiltration

Obfuscation: The malware family incorporates evolving and advanced evasion techniques:

  • Custom multi-layered encryption protects code, configuration files, and operational logic
  • API resolution is conducted dynamically using hashing techniques instead of explicit imports, which hinders signature-based detection
  • Manually maps and invokes functions from clean copies of system libraries such as ntdll.dll to bypass security hooks
  • Uses process hollowing and Asynchronous Procedure Call (APC) injection to run within legitimate system processes
  • Employs decoy C2 domains in its configuration to camouflage real communication and mislead defenders during analysis

These mechanisms are frequently refined in new versions, ensuring resilience against conventional antivirus and EDR tools. The use of common system binaries and stealthy runtime injection further complicates detection. Phishing is the primary method used to gain initial access. Common techniques include:

  • Spoofed business communications such as invoices or HR notices
  • Macro enabled Office documents requiring user action
  • Embedded scripts using PowerShell to download payloads
  • DLL sideloading through legitimate executables such as jarsigner.exe

Once executed, the malware injects into legitimate processes like explorer.exe. It uses registry keys or DLL hijacking for persistence and communicates with C2 infrastructure through encrypted channels that often include decoy domains.

Attack Vectors

FormBook and XLoader rely primarily on socially engineered phishing attacks for initial access. These campaigns are crafted to appear as legitimate business communications and often impersonate known brands or government services. Below is a detailed breakdown of the techniques used to compromise targets:

1. Phishing Emails

  • Emails often masquerade as invoices, shipping notices, or payment requests.
  • Subjects are crafted to create urgency (e.g., "URGENT: Overdue Payment") or curiosity (e.g., "Request for Quotation").
  • Senders may spoof internal departments (e.g., finance or procurement) or use lookalike domains.

2. Malicious Attachments

  • Office Documents (DOC, DOCX, XLS, XLSM): These files prompt users to enable macros. When macros are activated, embedded VBA or Excel 4.0 macros download the malware payload.
  • Archives (ZIP, RAR, ISO): Commonly used to bypass basic email scanners. Inside, they contain obfuscated executable files or LNK shortcuts that trigger infection.
  • PDF Files: Embedded with links to external download pages that host the malware or exploit browser vulnerabilities.
  • Java Archive (JAR): Used especially in macOS-targeting campaigns, sometimes generated by bundling tools like XBinder.

3. Embedded Scripts and Loaders

  • JavaScript and VBScript: Included in archives or HTML files. Executing the script downloads and runs the payload using PowerShell or command-line tools.
  • Compiled AutoIt Loaders: Some variants use AutoIt scripts compiled to EXE files to execute FormBook/XLoader payloads.
  • PowerShell Downloaders: Scripted instructions may be hidden in macros or LNK files to use PowerShell to fetch and execute malicious binaries.

4. Sideloading via Legitimate Binaries

  • DLL hijacking is used to load FormBook/XLoader by abusing trusted applications like jarsigner.exe.
  • The malware includes a malicious DLL named to match a legitimate DLL expected by the hijacked application.
  • Executing the application causes the malicious DLL to load instead of the legitimate one.

5. Malicious Links and Redirects

  • Links embedded in emails lead users to attacker-controlled sites that automatically deliver the payload or present a fake download page.
  • URLs may use link shorteners or encoded parameters to evade detection.

6. Post-Execution Techniques

  • Upon execution, the malware injects itself into legitimate processes like explorer.exe.
  • Establishes persistence using registry keys or DLL hijacking mechanisms.
  • Communicates with command-and-control (C2) infrastructure, often disguised through encrypted traffic and randomized beaconing intervals.

7. Multi-Stage Infection Chains

  • In some campaigns, FormBook or XLoader is dropped as a secondary payload via other malware such as GuLoader.
  • The infection chain can involve several layers, including loaders, droppers, and post-exploitation tools.

8. Targeted Techniques for macOS

  • JAR files or disguised Mach-O binaries are delivered via social engineering.
  • Campaigns may rely on users manually granting permissions or executing terminal commands.
  • Early versions may use Windows-specific artefacts or indicators, suggesting less mature development compared to the Windows variant.

This wide variety of vectors ensures that the malware can bypass traditional defenses. Combining these with advanced obfuscation and evasion techniques makes detection and mitigation more challenging without behavior-focused and content-aware security solutions.

Known Indicators of Compromise (IoCs)

CVE

  • CVE-2017-11882

FileHash-MD5

  • 0dbbaea650ca1dc68afb29e4eaaeb650
  • 19ac38b2e44d149859664387297f21c3
  • 23d94285fbcaa4d17bbedf04fd6f77fe

FileHash-SHA1

  • 4b8dd163f27e2e404009bcf7a286ca06c7b4fed7
  • caf3008711fdde546f292e2a439472f3dd36e372
  • e331eb48551c1bc220782e072be72308b99157da

FileHash-SHA256

  • 2e73b32d2180fd06f5142f68e741da1cff1c5e96387cebd489ad78de18840a56
  • 6ac778712dffce48b51850ac34a846da357be07328b00d0b629ec9b2f1c37ece
  • 7c66e3156bbe88ec56294cd2ca15416dd2b18432deedc024116ea8fbb226d23b
  • 93cf566c0997d5dcd1129384420e4ce59764bd86fdabaaa8b74caf5318ba9184

URL

  • hxxps://www2[.]0zz0[.]com/2025/02/02/10/709869215[.]png
  • hxxps://www2[.]0zz0[.]com/2025/02/02/10/709869215[.]xn--png-9o0a

Hostname

  • www2[.]0zz0[.]com

Mitigation and Prevention

User Awareness:

  • Conduct training on identifying phishing threats and risks of enabling macros
  • Run simulations of realistic phishing scenarios

Email Filtering:

  • Use sandboxing for attachments
  • Block password protected archive files
  • Enable URL rewriting and detonation

Endpoint Detection and Response:

  • Detect suspicious behavior such as process hollowing and memory injection
  • Monitor explorer.exe for spawning unexpected child processes

Zero Trust and MFA:

  • Require MFA for access to all internet facing services
  • Enforce the principle of least privilege

System Hardening:

  • Disable macros for documents downloaded from the internet
  • Enforce Safe DLL Search Mode through group policy
  • Regularly update operating systems and applications

Risk Assessment

FormBook and XLoader represent a high impact risk. The ease of access through MaaS, combined with evolving capabilities and wide targeting scope, makes this malware family dangerous. Organizations using only signature based detection methods are especially vulnerable. Defenses should prioritize behavior based alerting and hardened configurations.

Conclusion

FormBook and XLoader illustrate the risks posed by commoditized malware services. These threats are accessible, stealthy, and effective. They offer scalable credential theft and downloader functionality that can lead to further compromise. Security teams should focus on layered defenses that include user awareness, advanced email security, and behavior based detection.

Sources: