MacOS Being Picked Apart by $49 XLoader Data Stealer

threatpost.com
6 min read
standard
Cheap, easy and prolific, the new version of the old FormBook form-stealer and keylogger has added Mac users to its hit list, and it's selling like hotcakes.
There's a new version of the old FormBook form-stealer and keylogger that's added Mac users to its hit list, and it's selling like hotcakes on underground markets for as low as $49.

It's not only cheap; it's easy. The data stealer is distributed in the form of malware-as-a-service (MaaS) and stands out from competing malware by being drop-dead simple to use, outfitting even code dummies with a multipurpose malware tool.

In a report posted on Wednesday, analysts at Check Point Research (CPR) said that the new strain of FormBook – which mainly targeted Windows users when it first popped up on hacking forums in 2016 – is named XLoader. According to the report, FormBook disappeared from malware markets in 2018, then rebranded to XLoader in 2020.

Over the past six months, XLoader's been a busy beaver, prolifically targeting Window users but also gnawing on its newfound love: namely, "to CPR's surprise," Mac users.

XLoader licenses start at $49: a price that will get even the most inexperienced and poorly funded cyberattackers a tool that they can use to harvest log-in credentials, collect screenshots, log keystrokes and execute malicious files.

Check Point has tracked XLoader requests flooding in from eager attackers in 69 countries. Most of the targets – 53 percent – are in the U.S., including both Mac and Windows users.

The breakdown of victims by country is presented in the bar graph below:

Victims are tricked into downloading XLoader via spoofed emails that contain malicious Microsoft Office documents.

From Humble Keylogger to Red-Hot Malware

As of December, as Check Point reported at the time, FormBook was the third most prevalent malware family. It was outpaced only by Emotet at No. 1 (the servers for which were globally dismantled in January) and the TrickBot banking trojan/ransomware malware, which ranked No. 2.

AnyRun Malware Trends Tracker backs that up: As of Tuesday evening, FormBook was ranked third most-spotted sample out of millions in the…
Lisa Vaas
Read full article