Story image

New malware strain targeting Mac users for only $49

By Shannon Williams, 27 Jul 2021

A new malware strain has evolved to steal the information of MacOS users, according to new research from Check Point Research..

For as low as $49 on the Darknet, hackers can buy licenses for the new malware, enabling capabilities to harvest log-in credentials, collect screenshots, log keystrokes, and execute malicious files.

Victims are tricked into downloading the malware strain via spoofed emails containing malicious Microsoft Office documents.

“As part of our cybercrime tracking, we have observed interesting developments by the well-known malware family ‘Formbook’. We see a new strain of malware derived from the original Formbook malware," says Yaniv Balmas, head of cyber research at Check Point Software.

"Named ‘XLoader’, this malware is far more mature and sophisticated than its predecessors, supporting different operating systems, specifically MacOS computers," he says.

"Historically, MacOS malware hasn’t been that common. They usually fall into the category of ‘spyware’, not causing too much damage. I think there is a common incorrect belief with MacOS users that Apple platforms are more secure than other more widely used platforms. 

"While there might be a gap between Windows and MacOS malware, the gap is slowly closing over time. The truth is that MacOS malware is becoming bigger and more dangerous," says Balmas. 

"Our recent findings are a perfect example and confirm this growing trend. With the increasing popularity of MacOS platforms, it makes sense for cyber criminals to show more interest in this domain, and I personally anticipate seeing more cyber threats following the Formbook malware family," he says. 

"I would think twice before opening up any attachments from emails I get from senders I don’t know.”

In 2018, Apple estimated that more than 100 million Macs were in use.
                                                                                                      
“XLoader”, the new strain of malware that has evolved to steal the information of MacOS users, is a derivative of the famous “Formbook” malware family, which mainly targeted Windows users, but disappeared from being on sale in 2018.

Formbook rebranded to XLoader in 2020. Over the past six months, CPR studied XLoader’s activities, learning that XLoader is prolific, targeting not just Windows, but Mac users as well.  

Hackers can buy XLoader licenses on the Darknet for as low as $49, equipping them with capabilities to harvest log-in credentials, collect screenshots, log keystrokes, and execute malicious files. Victims are tricked into downloading XLoader via spoofed emails that contain malicious Microsoft Office documents.

CPR tracked Xloader activity between December 1, 2020 and June 1, 2021. CPR saw XLoader requests from as many as 69 countries. More than half (53%) of the victims reside in the United States. 

Infection Process

XLoader is usually spread by spoofed emails that lure their victims into downloading and opening a malicious file, usually Microsoft Office documents.

Prevention Tips

To avoid infection, CPR recommends both Mac and Windows users to:

Not open suspicious attachments
Avoid visiting suspicious websites
Use 3rd party protection software to help identify and prevent malicious behavior on their computer

Detection and Removal Guidance

Since this malware is stealth in nature, it is likely difficult for a “non-technical” eye to recognise whether they have been infected, according Autorun.

"Therefore, if you suspect you have been infected it would be wise to consult with a security professional or use third party tools and protections designed to identify, block and even remove this threat from your computer."

Recent stories
More stories