Hackers use XLoader malware to steal information of MacOS users

Check Point Research (CPR) reports that a malware strain has evolved to steal the information of MacOS users.
Macbook discount offersHackers can buy licenses for the new malware for as low as $49 on the Darknet, enabling capabilities to harvest log-in credentials, collect screenshots, log keystrokes, and execute malicious files.

53 percent of victims reside in the USA, including both Mac and Windows users. Hackers in 69 countries have made requests for the evolved malware. Victims are tricked into downloading the malware strain via spoofed emails containing malicious Microsoft Office documents

In 2018, Apple estimated that over 100 million Macs were in use.

The new strain named “XLoader” is a derivative of the “Formbook” malware, which targeted Windows users, but disappeared from being on sale in 2018. Formbook rebranded to XLoader in 2020.

Over the past six months, CPR studied XLoader’s activities, learning that XLoader is prolific, targeting not just Windows, but to CPR’s surprise, Mac users as well.

Hackers can buy XLoader licenses on the Darknet for as low as $49, equipping them with capabilities to harvest log-in credentials, collect screenshots, log keystrokes, and execute malicious files. Victims are tricked into downloading XLoader via spoofed emails that contain malicious Microsoft Office documents.

CPR tracked Xloader activity between December 1, 2020 and June 1, 2021. CPR saw XLoader requests from as many as 69 countries. Over half (53 percent) of the victims reside in the United States.

Infection Process

XLoader is usually spread by spoofed emails that lure their victims into downloading and opening a malicious file, usually Microsoft Office documents.

Prevention Tips

To avoid infection, CPR recommends both Mac and Windows users to:

Not open suspicious attachments

Avoid visiting suspicious websites

Use 3rd party protection software to help identify and prevent malicious behavior on their computer

Detection and Removal Guidance

Since this malware is stealth in nature, it is likely difficult for a “non-technical” eye to recognize whether they have been infected. Therefore, if you suspect you have been infected it would be wise to consult with a security professional or use third party tools and protections designed to identify, block and even remove this threat from your computer. For more technical details to assist, CPR recommends going to Autorun and:

Check your username in the OS

Go to /Users/[username]/Library/LaunchAgents directory

Check for suspicious filenames in this directory (example below is a random name)


Remove the suspicious file

“XLoader malware is far more mature and sophisticated than its predecessors, supporting different operating systems, specifically MacOS computers. I anticipate seeing more cyber threats following the Formbook malware family,” Yaniv Balmas, Head of Cyber Research at Check Point Software, said in a statement.

Related News

Latest News

Latest News