The popular Windows information stealing malware has been modified into a new strain called XLoader, which can now target macOS systems also.
XLoader is currently being offered on an underground forum as a botnet loader service that can “recover” passwords from web browsers and some email clients (Chrome, Firefox, Opera, Edge, IE, Outlook,Thunderbird, Foxmail).
XLoader which was derived from the Formbook info-stealer for Windows, emerged last February, gained popularity and advertised as a cross-platform (Windows and macOS) botnet with no dependencies.
The connection between the two malware pieces was confirmed after a member of the community reverse-engineered XLoader and found that it had the same executable as Formbook.
The advertiser explained that Formbook’s developer contributed a lot to creating XLoader, and the two malware had similar functionality (steal login credentials, capture screenshots, log keystrokes, and execute malicious files).
Customers can rent the macOS malware version for $49 per month and get access to a server that the seller provides. By keeping a centralized command and control infrastructure, the authors can control how clients use the malware.
The Windows version costs more as the seller asks $59 for a one-month license and $129 for three months.
The makers of XLoader also provide a Java binder for free, which allows customers to create a standalone JAR file with the Mach-O and EXE binaries used by macOS and Windows.
The malware researchers at Check Point tracked XLoader 6-month activity up to June 1st and saw requests from 69 countries with more than half of the victims from the United States.
Even though Formbook is no longer advertised on underground forums, it continues to be a prevalent threat. It was part of at least 1,000 malware campaigns over the past three years.
According to the researchers, XLoader is stealthy enough to remain undetectable.
They recommend using macOS’ Autorun to check the username in the OS and to look into the LaunchAgents folder [/Users/[username]/Library/LaunchAgents] and delete entries with suspicious filenames (random-looking name).
Due to the popularity of macOS, the researcher believes that more malware families will adapt and add macOS to the list of supported operating systems.