The evolution of malware towards Malware-as-a-Service using Xloader as an example

Malware-as-a-Service (MaaS) is establishing itself as a business model for cybercriminals, as Zscaler’s ThreatlabZ analysts show using Xloader as an example. The infostealer called Xloader is the successor to Formbook, which has been sold in hacker forums since early 2016.


Formbook was provided with a web-based command and control panel for customers to manage their own botnets. In 2017, the source code of the Formbook panel was breached, after which the actor behind it switched to a different business model: instead of distributing a fully functional data and information stealing equipment, the C2 infrastructure is only distributed to customers rented. This malware-as-a-service business model is likely to be more profitable and also makes it more difficult to steal the code again. Then, in October 2020, Formbook was rebranded to Xloader, with major improvements made, particularly in relation to the encryption of the Command and Control (C2) network.


Since infostealers are used in ransomware attacks to steal confidential information and act as leverage for monetization, the popularity of the business model can be easily explained. Similar to legal software-as-a-service offerings, malware is offered as a service by criminal groups on a subscription basis. The criminal providers provide a platform that also enables attackers without programming knowledge to pursue criminal activities. If a ransomware attack is successful, the ransom paid is shared between the service provider, the programmer, and the subscriber.


Xloader offers the following options, among others:


  • Steal credentials from web browsers and other applications.
  • Capturing keystrokes.
  • Creating screenshots.
  • stealing passwords.
  • Download and run additional binaries.
  • Executing commands.

Xloader is a well-developed piece of malware that has numerous techniques to mislead investigators and complicate malware analysis. This includes several encryption levels and a dedicated virtual machine. Although the authors abandoned the Formbook branch to focus on its successor Xloader, both strains are still active. Formbook is still used by hackers using the leaked Panel source code and managing the C2 themselves, while the original authors are now selling the new variant as MaaS, supporting and renting out the server infrastructure. Not surprisingly, this malware family has been one of the most active threats in recent years.


Xloader uses HTTP to communicate with the C2 server. An HTTP GET request is sent as a form of registration. The malware then makes HTTP POST requests to the C2 server to collect information such as screenshots or stolen data. In both cases, the GET parameters and the POST data have a similar format and are encrypted as shown below.



Image source: Zscaler


Additionally, Xloader uses multi-layer block structures of data and code encryption to evade detection and mislead malware analysts.


“Infostealers play an important role in ransomware scenarios because attackers rely on double-extortion mechanisms. Thus, they increase their chance of monetizing the attack beyond just holding data hostage. The threat of releasing stolen sensitive data puts more pressure on victims to pay the ransom,” said Mark Lueck, CISO EMEA at Zscaler, “and organizations would do well to increase their ability to prevent the most common types of cybercrime evaluate. Effective measures also include factors such as limiting the lateral movement of attackers in a network or data leakage prevention to prevent data from leaking unnoticed.”