Check Point Research (CPR) experts have spotted a cheap malware, dubbed XLoader variant, which was upgraded to target both Windows and macOS PCs.
XLoader is a very cheap malware strain that is based on the popular Formbook Windows malware.
FormBook is a data-stealing malware that is used in cyber espionage campaigns, like other spyware it is capable of extracting data from HTTP sessions, keystroke logging, stealing clipboard contents. FormBook can also receive commands from a command-and-control (C2) server to perform many malicious activities, such as downloading more payloads. FormBook was offered for sale in the criminal underground since July, it goes for $29 a week up to a $299 full-package “pro” deal. The customers pay for access to the platform and generate their executable files as a service.
The malware was pulled from sale in 2017, but it continued to infect systems across the world. In March 2020, MalwareHunterTeam uncovered a Coronavirus (COVID-19)-themed campaign that was distributing a malware downloader that delivers the FormBook information-stealing Trojan.
CPR team has now monitored XLoader since it first appeared in the threat landscape in February. XLoader borrows the code base with Formbook, but it also included major improvements, such as the capability of compromising macOS systems.
“On February 6, 2020 a new era began: the era of the Formbook successor called XLoader. On this day, XLoader was advertised for sale in one of the underground groups.” states the report published by CheckPoint. “On October 20, 2020, XLoader was offered for sale on the same forum which was used for selling Formbook.”
The attack vector is represented by phishing messages, attackers leverage spoofed emails using weaponized Microsoft Office documents as attachments.
XLoader is offered to customers through a classic Malware-as-a-Service model, its seller doesn’t offer the source of the threat but only offer it for rent. It is not clear is the seller is the author of Formbook, known as ng-Coder, but experts found evidence of a connection between the two actors, such as a message from xloader to ng-Coder saying, “Thank you for the help”:
“The malware now features a more lucrative economic model for the authors as compared to Formbook. Customers may only buy the malware for a limited time and are only able to use a server provided by the seller; no panel sources codes are sold anymore. Thus, a “Malware-as-a-Service” scheme is used. Centralized C&C infrastructure allows the authors to control how the malware is used by the customers.” continues the report.
Below is the offer of the seller:
Package | Price |
Windows, executable, 1 month | $59 |
Windows, executable, 3 months | $129 |
macOS, Mach-O, 1 month | $49 |
macOS, Mach-O, 3 months | $99 |
Between December 1, 2020 and June 1, 2021, researchers saw Formbook/XLoader requests from as many as 69 countries, most of them from the US (53%).
In order to avoid detection, the malware uses an extended C2 network. Only 1,300 out of almost 90,000 domains used in network communication are real C2 servers. The remaining 88,000 domains are legitimate sites, however, the malware sends malicious traffic to them as well. This technique aims at complicating the work of security vendors to track the real C&C servers.
The new capability implemented in XLoader, and its low price, demonstrates that MacOS malware is becoming a privileged target of cybercrime ecosystem.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine