XLoader windows info-stealer malware now designed to attack macOS

The popular Windows info stealing malware has been transformed into a new strain known as XLoader, which can now attack Mac devices as well.


On an underground forum, XLoader is being advertised as a botnet loader service that can “recover” passwords from web browsers and some email clients (Chrome, Firefox, Opera, Edge, IE, Outlook, Thunderbird, Foxmail).



XLoader ad posted on underground forum site



XLoader, a cross-platform (Windows and macOS) botnet created from the Formbook info-stealer for Windows, first appeared in February, quickly gained popularity, and was advertised as a no-dependencies botnet.


After a member of the community reverse-engineered XLoader and discovered that it had the same executable as Formbook, the link between the two malware pieces was verified.


The advertiser said that Formbook’s developer was heavily involved in the development of XLoader, and the two viruses had identical features (steal login credentials, capture screenshots, log keystrokes, and execute malicious files).


For $49 per month, customers can rent the macOS malware version and have access to a server provided by the seller.


XLoader info stealing malware ad



The creators can control how clients exploit the malware by maintaining a centralized command and control infrastructure.


The Windows version is more expensive, with a one-month subscription costing $59 and a three-month license costing $129.


XLoader’s creators also supply a free Java binder, which allows users to produce a standalone JAR file using macOS and Windows’ Mach-O and EXE binaries.


Check Point malware researchers examined XLoader 6-month activity up to June 1st and found requests from 69 countries, with the United States accounting for more than half of the victims.


Despite the fact that Formbook is no longer offered on underground forums, it remains a serious threat. Over the last three years, it has been linked to at least 1,000 malware attacks.


XLoader, according to the researchers, is stealthy enough to go undetected.


They suggest checking the username in the OS using Autorun and searching through the LaunchAgents folder [/Users/[username]/Library/LaunchAgents] for entries with odd filenames (random-looking name).


Since macOS is popularly known, the researcher expects that more malware families would adapt and include macOS in their support list.


You might also like:

Beware: Ficker-info stealing malware is pretending to be Microsoft Store

This Microsoft Edge bug allows hackers to steal your information

Pegasus Project – Spyware used to target journalist, activists and others

Israeli firm Candiru exploited Windows zero-days to deploy spyware