A new version of XLoader malware, capable of obscuring the C2 infrastructure, has been spotted in the wild. The malware is a successor of Formbook malware and was first discovered in 2021 on the dark web.

Formbook is no longer active

During the analysis, CheckPoint researchers found that the latest iteration of Formbook stealer, which is 4.1, dated back to 2020. Since then, the malware authors have not updated the malware, indicating that Formbook has been discontinued.

About XLoader

  • In July 2021, XLoader was born to fill in the gap created by the absence of Formbook. The malware was available for sale on different underground forums by a different avatar. 
  • The emergence of XLoader had opened several new opportunities for threat actors, with the ability to target macOS systems as one of the most interesting aspects. 

About the new version

  • On May 5, researchers spotted a new version of XLoader malware, dubbed v2.6. 
  • The main update in the latest version is focused on the use of probability theory to hide its command and control servers. This new update is aimed at making the job difficult for security experts to disrupt the malware’s operation. 
  • XLoader v2.6 overwrites eight out of 64 randomly chosen domains in its configuration list with new values.
  • This overwriting of real domains with fake ones is done every time an attack attempt is made. This helps the attackers to hide the real C2 servers from security analysts while continuing with their infection process.   

Final words

The re-emergence of XLoader with new anti-evasion capabilities represents that malware authors are always at the forefront of inventing new tricks to prolong the lives of their creations as long as possible. Therefore, organizations must be vigilant and implement protection across their network, cloud, and endpoints to prevent attacks.

Cyware Publisher