macOS Malware

A popular malware known for stealing sensitive information from Windows machines has evolved into a new strain capable of also targeting Apple's macOS operating system.

The upgraded malware, dubbed "XLoader," is a successor to another well-known Windows-based info stealer called Formbook that's known to vacuum credentials from various web browsers, capture screenshots, record keystrokes, and download and execute files from attacker-controlled domains.


"For as low as $49 on the Darknet, hackers can buy licenses for the new malware, enabling capabilities to harvest log-in credentials, collect screenshots, log keystrokes, and execute malicious files," cybersecurity firm Check Point said in a report shared with The Hacker News.

Distributed via spoofed emails containing malicious Microsoft Office documents, XLoader is estimated to infected victims spanning across 69 countries between December 1, 2020, and June 1, 2021, with 53% of the infections reported in the U.S. alone, followed by China's special administrative regions (SAR), Mexico, Germany, and France.

While the very first Formbook samples were detected in the wild in January 2016, sale of the malware on underground forums stopped in October 2017, only to be resurrected more than two years later in the form of XLoader in February 2020.

In October 2020, the latter was advertised for sale on the same forum which was used for selling Formbook, Check Point said. Both Formbook and its XLoader derivative are said to share the same codebase, with the new variant incorporating substantial changes that lend it new capabilities for compromising macOS systems.

macOS Malware

According to statistics released by Check Point earlier this January, Formbook was third among the most prevalent malware families in December 2020, impacting 4% of organizations worldwide. It's worth noting that the newly discovered XLoader malware for PC and Mac is not the same as XLoader for Android, which was first detected in April 2019.


"[XLoader] is far more mature and sophisticated than its predecessors, supporting different operating systems, specifically macOS computers," said Yaniv Balmas, head of cyber research at Check Point. "Historically, macOS malware hasn't been that common. They usually fall into the category of 'spyware', not causing too much damage."

"While there might be a gap between Windows and MacOS malware, the gap is slowly closing over time. The truth is that macOS malware is becoming bigger and more dangerous," Balmas noted, adding the findings "are a perfect example and confirm this growing trend."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.