Formbook malware Upgraded as an XLoader malware to Attack macOS Systems

Researchers have spotted an upgraded malware variant of Formbook malware which is now Upgraded as an XLoader malware to Attack macOS Systems.

Cybersecurity researchers on Wednesday disclosed details of an evolving malware that has now been upgraded to steal sensitive information from Apple’s macOS operating system.

XLoader is currently being offered on an underground forum as a botnet loader service that can “recover” passwords from web browsers and some email clients (Chrome, Firefox, Opera, Edge, IE, Outlook, Thunderbird, Foxmail).

XLoader is a successor version of Formbook Malware which is a well-known Windows-based info stealer.

XLoader licenses start at $49: a price that will get even the most inexperienced and poorly funded cyberattackers a tool that they can use to harvest log-in credentials, collect screenshots, log keystrokes and execute malicious files.

The advertiser explained that Formbook’s developer contributed a lot to creating XLoader, and the two malware had similar functionality (steal login credentials, capture screenshots, log keystrokes, and execute malicious files).

Infection chains begin through phishing, in which spoofed emails contain malicious attachments such as weaponized Microsoft Office documents laden with malware.

While the very first Formbook samples were detected in the wild in January 2016, the sale of the malware on underground forums stopped in October 2017, only to be resurrected more than two years later in the form of XLoader in February 2020. In October 2020, the latter was advertised for sale on the same forum which was used for selling Formbook, Check Point said.

In addition, the malware has an extensive command-and-control (C2) setup, utilizing close to 90,000 domains in network communication but only 1,300 are real C2 beacons.

“The other 88,000 domains belong to legitimate sites the malware sends malicious traffic to them as well,” CPR says. “This presents security vendors with the dilemma of how to determine which are the real C&C servers and not false-positively identify legitimate sites as malicious.”

As mentioned in the advertisement, the makers of XLoader also provide a Java binder for free, which allows customers to create a standalone JAR file with the Mach-O and EXE binaries used by macOS and Windows.

It appears that potential threat actors in 69 countries, so far, have requested access to the malware, which is managed by a centralized C2 server. Over half of XLoader victims detected so far are in the United States.

XLoader is far more mature and sophisticated than its predecessors, supporting different operating systems, specifically macOS computers,” said Yaniv Balmas, head of cyber research at Check Point. “Historically, macOS malware hasn’t been that common. They usually fall into the category of ‘spyware’, not causing too much damage.”