A common form of malware on Windows systems has been changed to a new strain called "XLoader", which can also target Mac computers.
Derived from the data stealer, Formbook for Windows, XLoader is a form of cross-platform malware presented as a botnet without dependencies. It is used to steal login credentials, capture screenshots, record keystrokes, and execute malicious files. The malware was discovered by security researchers at Check Point Software.
A server hosting the macOS version of XLoader is available on the dark web for $49 a month. Check Point followed XLoader for a period of six months, receiving requests from 69 countries indicating high usage around the world. More than half of all the victims were based in the United States.
Formbook continues to be a very pervasive threat, being part of over 1,000 malware campaigns over the past three years, and XLoader is expected to have even wider use given its cross-platform capability and higher level of sophistication.
Check Point's head of cyber research, Yaniv Balmas, said the growing popularity of macOS has exposed it to growing attention from cybercriminals, who see the platform as an interesting target.
“While there might be a gap between Windows and MacOS malware, the gap is slowly closing over time. The truth is that MacOS malware is becoming bigger and more dangerous.”
According to Check Point, XLoader is stealthy enough to stay hidden from most users. However, it is possible to check your system for the presence of malware:
- Navigate to /Users/[username]/Library/LaunchAgents directory
- Look for suspicious file names in this directory (the example below is a random name) /Users/user/Library/LaunchAgents/com.wznlVRt83Jsd.HPyT0b4Hwxh.plist
As with any malware, a rule of thumb is broken to minimize the risk of infection by avoiding bizarre websites and being careful with email attachments. Never open an attachment unless you know the sender and are expecting it, as it is common for attackers to spoof an email's sender address.