XLoader Malware

Security researchers at Check Point Research (CPR) on Wednesday disclosed a new strain of cross-platform malware that steals sensitive information from Apple’s macOS users.

The malware identified as “XLoader” is currently being is distributed in the form of malware-as-a-service (MaaS) on the dark web forum as a botnet loader service for as low as $49, which can be deployed against both Windows and macOS devices.

For those unaware, XLoader has originated from a Windows-based variant called Formbook. Available for $29 a week, Formbook first popped up on hacking forums in 2016. Intended to be “a simple keylogger”, Formbook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and executes malicious files on the victim’s machines.

However, customers immediately saw its potential as a universal tool for use in broad spam campaigns that target organizations all over the world. Although this malware disappeared from being on sale in 2018, it reappeared again in 2020 under a new name XLoader.

XLoader’s credential harvesting feature works for “almost one hundred applications including browsers, messengers, FTP and email clients,” researchers write.

According to the CPR report, XLoader, which borrows the code base with Formbook, was advertised for sale in one of the underground groups on February 6, 2020. Ever since, it has grown in popularity as a cross-platform (Windows and macOS) botnet with no dependencies and includes major improvements, such as the capability of compromising macOS systems.

Check Point tracked XLoader activity for a six-month period (between December 1, 2020, and June 1, 2021), seeing requests from 69 countries, to discover that over half (53%) of victims infected with the malware are in the U.S., including both Mac and Windows users.

Victims are tricked into downloading XLoader via typical phishing schemes that use spoofed emails, which contain malware-loaded Microsoft Office documents. According to Apple, approximately 200 million users were operating macOS in 2018, which means that the malware is a potential threat to all Mac users.

“I think there is a common incorrect belief with macOS users that Apple platforms are more secure than other more widely used platforms. While there might be a gap between Windows and MacOS malware, the gap is slowly closing over time. The truth is that MacOS malware is becoming bigger and more dangerous,” said Yaniv Balmas, Head of cyber research at Check Point Software.

“Our recent findings are a perfect example and confirm this growing trend. With the increasing popularity of MacOS platforms, it makes sense for cyber criminals to show more interest in this domain, and I personally anticipate seeing more cyber threats following the Formbook malware family. I would think twice before opening up any attachments from emails I get from senders I don’t know.”

CPR recommends users steer clear from visiting unprotected websites, avoid opening suspicious email attachments from an unknown sender, and use third-party protection software to keep their Mac or PC safe from malware.

“Since this malware is [stealthy] in nature, it is likely difficult for a ‘non-technical’ eye to recognize whether they have been infected,” the analysts opined.

“Therefore, if you suspect you have been infected it would be wise to consult with a security professional or use third-party tools and protections designed to identify, block and even remove this threat from your computer.”

The cybersecurity company also recommends using the AutoRun feature of Windows Explorer (see below). Note: this method isn’t for the inexperienced.

  1. Check your username in the OS.
  2. Go to /Users/[username]/Library/LaunchAgents directory.
  3. Check for suspicious filenames in this directory (i.e. random-looking name, see example below)

/Users/user/Library/LaunchAgents/com.wznlVRt83Jsd.HPyT0b4Hwxh.plist).

  1. Remove the suspicious file.