TAG cybersecurity experts: The breadth of targets in those campaigns stands in contrast to many government-backed operations.
Brian Krebs: FormBook has undergone a rebrand and is now being sold as “xloader” on various forums
FormBook has undergone a rebrand and is now being sold as “xloader” on various forums. Binary is virtually identical, and employs the same “MZ-as-alternative-entrypoint” trick. It has been discovered by the cybersecurity expert Brian Krebs. The malware, through the keylogger function, is able to acquire everything the user types. It can also steal email and browser credentials, as well as take screenshots. Finally, it has the ability to remotely issue commands on the infected PC, such as downloading additional payloads or updating those present. FormBook has been recently exploited in an international cybercrime campaign against hotels, as JAMESWT detected. The bait is a false booking with credit card details attached to confirm. It’s a compressed document (.rar) which contains an exe file. This, if opened, starts the malware infection chain. The goal is to steal sensitive data from victims.