$49 Malware Targeting Macs and Windows Machines - Quick and Easy to Use

ZDnet and Threatpost reported this week that a $49 piece of malware named “XLoader” is for sale on the dark web, and it works on Mac machines as well as Windows.

What is XLoader?

The original keylogger/form-stealer software dubbed FormBook worked on Windows machines stealing information as victims typed into online forms and logins.

According to Threatpost, 

“There’s a new version of the old FormBook form-stealer and keylogger that’s added Mac users to its hit list, and it’s selling like hotcakes on underground markets for as low as $49.”

“It’s not only cheap; it’s easy. The data stealer is distributed in the form of malware-as-a-service ( MaaS ) and stands out from competing malware by being drop-dead simple to use, outfitting even code dummies with a multipurpose malware tool,” Threatpost added.

The initial FormBook malware was active during 2016 and then disappeared in 2018 and resurfaced as XLoader (an upgraded version) in 2020. This information comes from a report published on Wednesday by Check Point Research (CPR). Older versions of FormBook sold on the dark web for $29/week.

What is the Danger?

CPR has witnessed a lot of activity using XLoader. With its upgraded functionality, hackers are using it on Windows machines and Macs to “harvest log-in credentials, collect screenshots, log keystrokes and execute malicious files.”

Although CPR has seen XLoader operating in 69 different countries, most targets (53%) are in the U.S.

Victims are tricked into installing XLoader through phishing emails containing “malicious Microsoft Office documents.”

It appears that the author or FormBook was disgruntled by the way customers were using his creation. Therefore, he forbade the use of the malware and pulled it from the black market in 2018. 

Threatpost explains,

“FormBook activity kept coming, but it had a bun in the oven. On Feb. 6, 2020, the rebranded XLoader offshoot was listed for sale in an underground forum – the same one that FormBook was sold on – under a new avatar. (Check Point notes that XLoader malware for PCs and Mac shouldn’t be confused with XLoader malware for Android [aka Roaming or MoqHao], a backdoor trojan and Android malware that uses Domain Name System (DNS) spoofing to distribute infected Android apps.)”

Unlike previous versions, this one works on a Mac, making it very desirable to cybercriminals. With roughly 100 million Mac users, it opens up a huge target base for hackers.

Malware Stats

In terms of danger, CPR noted that “As of December, as Check Point reported at the time, FormBook was the third most prevalent malware family. It was outpaced only by Emotet at No. 1 (the servers for which were globally dismantled in January) and the TrickBot banking trojan/ransomware malware, which ranked No. 2.”

How to Thwart the XLoader Threat

As with each new threat that hits the market, users can steer clear by executing a few safety precautions and following cybersecurity best practices. According to CPR, the best ways to avoid a malware infection are:

• Never click links in emails or text messages.

• Always verify the sender of the email.

• Never open attachments in unsolicited emails.

• Avoid suspicious or malicious websites. 

• Always verify the web address that you land on before clicking anything or entering any information.

• Use good, strong antivirus software on all your devices.

If you do suspect you may have been infected, Threatpost explains how to verify it:

“For more technical details to assist in detection and removal, Check Point recommended using the AutoRun feature of Windows Explorer to:

1. Check your username in the OS.

2. Go to /Users/[username]/Library/LaunchAgents directory.

3. Check for suspicious filenames in this directory (they gave this random name as an example: /Users/user/Library/LaunchAgents/com.wznlVRt83Jsd.HPyT0b4Hwxh.plist).

4. Remove the suspicious file.”