Skip to main content

XLoader malware infects Macs now; collects keystrokes, screenshots, and more

XLoader malware has now migrated from Windows machines to attack Macs too. An evolution of the malware known as Formbook, it lets an attacker log keystrokes, take screenshots, and access other private information.

Worryingly, the malware is sold on the dark web for $49, enabling anyone to deploy it against both Windows and Mac users …

The good news is that it does require user action to trigger it. Attackers typically send an email that contains the malware embedded into Microsoft Office documents.

Security researchers at Check Point discovered it.

Check Point Research (CPR) sees a new strain of malware that has evolved to steal the information of MacOS users. Named “XLoader”, the new strain is a derivative of the famous “Formbook” malware family, which mainly targeted Windows users, but disappeared from being on sale in 2018. Formbook rebranded to XLoader in 2020. Over the past six months, CPR studied XLoader’s activities, learning that XLoader is prolific, targeting not just Windows, but to CPR’s surprise, Mac users as well.  

Hackers can buy XLoader licenses on the Darknet for as low as $49, equipping them with capabilities to harvest log-in credentials, collect screenshots, log keystrokes, and execute malicious files. Victims are tricked into downloading XLoader via spoofed emails that contain malicious Microsoft Office documents.

This is a potential threat to all Mac users. In 2018, Apple estimated that over 100M Macs were in use. 

CPR tracked Xloader activity between December 1, 2020 and June 1, 2021. CPR saw XLoader requests from as many as 69 countries. Over half (53%) of the victims reside in the United States.

XLoader is stealthy, meaning it is hard to tell when a Mac is infected with it, but the company does provide one method of checking.

1. Go to /Users/[username]/Library/LaunchAgents directory
2. Check for suspicious filenames in this directory (example below is a random name)

/Users/user/Library/LaunchAgents/com.wznlVRt83Jsd.HPyT0b4Hwxh.plist

As with any malware, you can minimize the risk of infection by avoiding sketchy websites and using caution with attachments. Never open an attachment unless you know the sender and are expecting it – because it’s common for attackers to spoof the From address of an email.

Yaniv Balmas, head of cyber research at Check Point Software, said that Mac owners shouldn’t be complacent.

Historically, MacOS malware hasn’t been that common. They usually fall into the category of ‘spyware’, not causing too much damage.

I think there is a common incorrect belief with MacOS users that Apple platforms are more secure than other more widely used platforms. While there might be a gap between Windows and MacOS malware, the gap is slowly closing over time. The truth is that MacOS malware is becoming bigger and more dangerous. Our recent findings are a perfect example and confirm this growing trend. With the increasing popularity of MacOS platforms, it makes sense for cyber criminals to show more interest in this domain, and I personally anticipate seeing more cyber threats following the Formbook malware family.

Photo: Ilya Pavlov/Unsplash

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications