Skip Navigation
BlackBerry ThreatVector Blog

BlackBerry Prevents: xLoader Infostealer

xLoader is an information-stealing malware targeting both macOS® and Windows®. Previously sold on underground forums under the name Formbook, xLoader surfaced in early 2020 shortly after Formbook was shut down by its author.

xLoader is sold under a malware-as-a-service (MaaS) agreement. Subscribers have access to the administrative panel and executable builds for both Windows and macOS. The authors of xLoader retain full control of command-and-control (C2) infrastructure and malware builds for each target environment.

DEMO VIDEO: BlackBerry vs. XLoader Infostealer

BlackBerry Cyber Suite and BlackBerry Guard stop these attacks.

BlackBerry customers can feel confident that our AI-driven BlackBerry® Cyber Suite, as well as our Managed Detection & Response (MDR) solution BlackBerry® Guard, are well-equipped to mitigate the risks posed by threat actors: 

  • BlackBerry® Protect provides automated malware prevention, application and script control, memory protection, and device policy enforcement. 
  • BlackBerry® Optics extends the threat prevention by using artificial intelligence (AI) to prevent security incidents. It provides true AI incident prevention, root cause analysis, smart threat hunting, and automated detection and response capabilities.  
  • BlackBerry recommends activating the following BlackBerry Optics rules to provide additional telemetry from an xLoader malware attack: 
    • Win_cmd_cmdc_MITRET1059
    • Win_DelErase_Usage_MitreT1107
  • The BlackBerry® Mobile Threat Defense (MTD) solution prevents and detects advanced malicious threats at the device and application levels. It combines the mobile endpoint management capabilities of BlackBerry® Unified Endpoint Manager (UEM) with advanced AI-driven threat protection, to get in front of malicious cyberattacks in a Zero Trust environment. 
  • BlackBerry® Persona creates trust based on behavior analytics, app usage, and network and process invocation patterns. It uses adaptive risk scoring to provide continuous authentication. 
  • BlackBerry Guard customers are proactively protected from xLoader malware attacks. Our 24/7 MDR solution customers receive:  
    • Alerts monitored in real-time  
    • Corrective policies applied while discovering gaps in policy implementation  
    • Prioritized threat hunting  
    • The latest threat intelligence for fast-moving threats  

Prevention First

At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity. Putting prevention first neutralizes malware before the exploitation stage of the kill-chain. 

By stopping malware at this stage, BlackBerry® solutions help organizations increase their resilience. It also helps to reduce infrastructure complexity and streamline security management, ensuring your business, people and endpoints are secure. 

BlackBerry Assistance

The BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure. 

For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form.

Video Transcription

“In this video, we will demonstrate how xLoader is able to compromise a system to run silently and steal information such as clipboard content and credentials stored on popular browsers, plus how it can also serve as a keylogger and collect screenshots from the victim's machine.

We have configured this machine to run in Audit-Only mode to provide visibility on the features of this malware.

As soon as we execute the xLoader malware, we can see how it runs a complex process in memory to check the environment, which is detected and, with a proper policy, prevented in memory by the BlackBerry® Protect Memory Protection module. When satisfied, the malware then migrates to a system process, specifying read or write permissions on its request to get the ability to conduct code injection.

We can see this whole process by looking at Root-Cause Analysis via BlackBerry Optics, where we can get a step-by-step view of what just happened, as well as take a closer look at the credential-stealing activities conducted by xLoader.

Let's travel back in time to October 2015 by using a 6-year-old Cylance® AI model, to test our Temporal Predictive Advantage on a system with no access to the Internet or any updates. Let’s go ahead and copy the malware sample we just executed. As you can see, BlackBerry prevents this from executing on the system.

Now, let's try with 96 recent variants of xLoader with equal or greater capabilities to the ones described initially. BlackBerry prevents all these files from executing.

Prevention is possible, with BlackBerry.”

The BlackBerry Research & Intelligence Team

About The BlackBerry Research & Intelligence Team

The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.