CavalierGPT: The First Comprehensive Infostealers AI Bot - Read More →

Created by: alon

Date created: 2023-03-17

Last edited: 2023-03-17

Description: Formbook is an information-stealing malware, discovered in 2016, that is capable of stealing data entered into HTML website forms and logging keystrokes (https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/formbook) and also acting as a downloader for other malware (https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-formbook-malware/). xLoader is a JavaScript-based, cross-platform Formbook variant discovered in 2020 that is crafted to infect macOS as well as Windows systems. Check Point Research’s 2022 Mid-Year Report released in August 2022 placed Formbook as the “most prevalent” infostealer malware globally (and second-most prevalent of all malware types globally, behind only Emotet): https://www.checkpoint.com/downloads/resources/cyber-attack-trends-report-mid-year-2022.pdf.

Techniques (15)

  • Application Layer Protocol

    ID: T1071

    Tactics: Command and Control

    Description: https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/

  • Boot or Logon Autostart Execution

    ID: T1547

    Tactics: Persistence, Privilege Escalation

    Description: https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/

  • Clipboard Data

    ID: T1115

    Tactics: Collection

    Description: https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/

  • Credentials from Password Stores

    ID: T1555

    Tactics: Credential Access

    Description: https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/

  • Data from Configuration Repository

    ID: T1602

    Tactics: Collection

    Description: https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/

  • Exploitation for Client Execution

    ID: T1203

    Tactics: Execution

    Description: https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/

  • Masquerading

    ID: T1036

    Tactics: Defense Evasion

    Description: https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/

  • Phishing

    ID: T1566

    Tactics: Initial Access

    Description: https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/

  • Process Hollowing

    ID: T1055.012

    Tactics: Privilege Escalation, Defense Evasion

    Description: https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/

  • Remote Services

    ID: T1021

    Tactics: Lateral Movement

    Description: https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/

  • Scheduled Task/Job

    ID: T1053

    Tactics: Execution, Persistence, Privilege Escalation

    Description: https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/

  • System Checks

    ID: T1497.001

    Tactics: Defense Evasion, Discovery

    Description: https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/

  • Unsecured Credentials

    ID: T1552

    Tactics: Credential Access

    Description: https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/

  • User Execution

    ID: T1204

    Tactics: Execution

    Description: https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/

  • Virtualization/Sandbox Evasion

    ID: T1497

    Tactics: Defense Evasion, Discovery

    Description: https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/

infostealers-logo

BE THE FIRST TO KNOW

Get FREE access to Cavalier GPT

Stay informed with the latest insights in our Infostealers weekly report.

Receive a notification if your email is involved in an Infostealer infection.

No Spam, We Promise

BE THE FIRST TO KNOW

Get FREE access to Cavalier GPT

Stay informed with the latest insights in our Infostealers weekly report.

Receive a notification if your email is involved in an Infostealer infection.

No Spam, We Promise