Xloader Malware

There is a strong belief that Mac computers were resistant to malicious software, but, this idea has now changed over time. As the recent events and incidents have clearly depicted that Apple computers can also be infected.

To support this statement, recently, the XLoader malware has evolved itself and migrated from Windows to macOS.

The XLoader is the replacement for Formbook, it is one of the famous Windows info stealers that is proficient enough to steal credentials from different browsers.

Not only this but it also performs the following actions from the domains that are managed by attackers:-

  • Take screenshots
  • Registers keystrokes
  • Download files
  • Executes files

This malware has been detected by the researchers of the CheckPoint, and they have initiated an investigation to get further details.

New Developer

After investigating the whole matter, the analysts came to know that the new so-called developer of this malware is just a seller, not a developer. 

However, the experts believe that the main culprit is someone else who is managing the whole technical part from the back side of the curtain.

Moreover, the analysts found some technical similarities, they have found confirmation of a connection among XLoader’s seller and ng-Coder, as they found a  message from Xloader to ng-Coder and the message says that “Thank you for the help.”

New XLoader

XLoader is the successor of Formbook and they share the same code base, apart from this there are many other connections between these two.

After investigation, the experts found that on October 20, 2020, XLoader was proposed for sale on the corresponding forum which was utilized for trading Formbook.

The only thing that differs in this new malware is that it has a great ability to operate on the macOS. Not only this, all the features of this new malware are a quite profitable commercial model for the authors as compared to Formbook. 

However, the researchers noted that the customers can buy this malware for a limited time, and they can only be able to use a server that is being produced by the seller.

Malware is on sale on the Dark Web forums

The operator of this malware is selling this malware on the Dark Web for $49 a month. However, the malicious agenda is registered as a cross-platform botnet with no dominions. 

So, the security researchers noted that detecting this malware is quite simple, that’s why it can be done by removing irregular programs that start on macOS.

Apart from all this, we have also mentioned the price list for various options, and here they are mentioned below:-

  • Windows, executable, 1 month: $59
  • Windows, executable, 3 months: $129
  • macOS, Mach-O, 1 month: $49
  • macOS, Mach-O, 3 months: $99

Countries and campaigns

The security experts keep a check on both the malware the Formbook/XLoader, and they came to know that both of them have been requested from as many as 69 countries, which is higher than a third of the total 195 countries identified in the world today.

However, a number of countries clearly state that the use of this malware is spreading in a maximum part of the world. 

Among the 69 countries, the experts identified that most of the infections happened in the following countries:-

  • United States (53%)
  • China (9%)
  • Mexico (5%)
  • Germany (3%)
  • France (3%)
  • RF (3%)

Moreover, the security researchers have claimed that Macs have never been very attractive to the threat actors due to the small number of users but the continuous attack has swelled in prevalence in recent years and made them more exciting targets.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.