Researchers have discovered a cheap malware variant that in the past was used against Windows systems, but has been upgraded to infect Mac OS. The attack works by tricking users into opening a rogue MS document that contains malware which will allow attackers to perform data theft and exfiltration.
On Wednesday, security firm Check Point Research reported that hackers sell a new malware XLoader, which researchers said originated from a Windows-based variant called Formbook.
Subscription to Formbook was available for as little as $29 a week in underground forums in 2014. It reappeared in 2020 under a new name XLoader. Although sales of Formbook have ended, it is still a prevalent threat in the wild.
CPR has been tracking the malware over the past 6 months. The researchers found the same code base as Formbook, but significant changes were made by the developer.
Phishing is a process where fake emails are sent to unsuspecting users. These types of attacks usually lead to the exploitation of compromised systems. One of them is new capabilities for compromising macOS systems.
A successful infection chain begins with phishing emails that contain weaponized Microsoft Office documents.
XLoader is a powerful malware that can monitor and steal sensitive information from software, take screenshots, and perform data exfiltration. It can also execute arbitrary code to gain remote access to a system.
For their command-and-control (C2) infrastructure attackers use nearly 90,000 domains. The majority of these domains are legitimate sites to which attackers send malicious traffic to prevent analysis. This presents a puzzle for security firms as they try to determine which sites are real C&C servers.
XLoader is available for sale in underground forums for between $59 and $129.
Potential threat actors in 69 countries have requested access to the XLoader malware so far. Over half of the victims detected by CPR were in the US.
“While there might be a gap between Windows and macOS malware, the gap is slowly closing over time,” commented Yaniv Balmas, Head of Cyber Research at CPR. “The truth is that MacOS malware is becoming bigger and more dangerous. Our recent findings are a perfect example and confirm this growing trend.”