According to a newly released report from Bleeping Computer, an information security and technology news publication established in 2004, a very popular form of malware that steals information from Windows systems has been modified into a new strain called XLoader, which is now also targeting macOS. Super.
So what is XLoader anyway? Welp, it can steal login credentials, capture screenshots, log keystrokes, and execute malicious files. It’s a botnet loader service currently being offered on an underground forum that can “recover” passwords from web browsers and some email clients (Chrome, Firefox, Opera, Edge, IE, Outlook,Thunderbird, Foxmail). Derived from the Formbook info-stealer for Windows, XLoader emerged last February and has grown in popularity, advertised as a cross-platform (Windows and macOS) botnet with no dependencies.
The malware was discovered by security researchers at Check Point Software. Check Point tracked XLoader for a six-month period and found requests for the malicious malware from 69 countries, indicating significant use across the world. More than half of the malware’s victims were based in the US.
Although Formbook is no longer advertised on underground forums, it continues to be a prevalent threat. It was part of at least 1,000 malware camapaigns over the past three years and according to AnyRun’s malware trends, the info-stealer takes fourth place over the past 12 months, after Emotet.
As if this wasn’t already terrifying, Check Point researchers say that XLoader is stealthy enough to make it difficult for a regular, non-technical user to spot it.
So what can you do?
- BE ON THE LOOKOUT: The good news is that it does require user action to trigger it. It’s not just gonna somehow ambush your system without some form of action from you, first. Attackers typically send an email that contains the malware embedded into Microsoft Office documents, so, be on the lookout for those.
- CHECK FOR IT: Check Point recommends using macOS’ Autorun to check the username in the OS and to look into the LaunchAgents folder [/Users/[username]/Library/LaunchAgents] and delete entries with suspicious filenames (random-looking name). An example of such name would be: /Users/user/Library/LaunchAgents/com.wLs45G.ddGh67g784.plist
- DON’T BE DUMB: No, you haven’t actually inherited one billion dollars from your ancestor in Nigeria, don’t click the link. Porn? I’m not gonna tell you to stop watching it because, well, I won’t, but just be careful of the websites that you do rub n’ tug to.
With macOS’s growing popularity, it has more and more been exposed to unwanted attention from cybercriminals that now see macOS as an attractive target.
Yaniv Balmas, Head of Cyber Research at Check Point Software, says that because XLoader “is far more mature and sophisticated than its predecessors [i.e. Formbook],” Mac owners should not be complacent.
“While there might be a gap between Windows and MacOS malware, the gap is slowly closing over time. The truth is that MacOS malware is becoming bigger and more dangerous.”– Yaniv Balmas