Friday, October 15, 2021

Formbook malware Upgraded as an XLoader malware to Attack macOS Systems

Must Read

Hackers ask 500 Bitcoin ransom from Tether

Tether, the issuer of the USDT stablecoin, claims to have received a ransom note asking for 500 bitcoin (currently worth about USD $22...

Microsoft links Vietnamese Country hackers to a crypto-mining malware campaign

Vietnamese government-backed hackers have been recently seen deploying cryptocurrency-mining malware along with their routine cyber-espionage toolkits, Microsoft said on...

WA Auditor Shows Concern about security Methods within state Registry System

Auditor General publishes findings 18 weeks after the audit has been complete because she feared that the danger was...

Researchers have spotted an upgraded malware variant of Formbook malware which is now Upgraded as an XLoader malware to Attack macOS Systems.

Cybersecurity researchers on Wednesday disclosed details of an evolving malware that has now been upgraded to steal sensitive information from Apple’s macOS operating system.

XLoader is currently being offered on an underground forum as a botnet loader service that can “recover” passwords from web browsers and some email clients (Chrome, Firefox, Opera, Edge, IE, Outlook, Thunderbird, Foxmail).

XLoader is a successor version of Formbook Malware which is a well-known Windows-based info stealer.

XLoader licenses start at $49: a price that will get even the most inexperienced and poorly funded cyberattackers a tool that they can use to harvest log-in credentials, collect screenshots, log keystrokes and execute malicious files.

The advertiser explained that Formbook’s developer contributed a lot to creating XLoader, and the two malware had similar functionality (steal login credentials, capture screenshots, log keystrokes, and execute malicious files).

Infection chains begin through phishing, in which spoofed emails contain malicious attachments such as weaponized Microsoft Office documents laden with malware.

While the very first Formbook samples were detected in the wild in January 2016, the sale of the malware on underground forums stopped in October 2017, only to be resurrected more than two years later in the form of XLoader in February 2020. In October 2020, the latter was advertised for sale on the same forum which was used for selling Formbook, Check Point said.

In addition, the malware has an extensive command-and-control (C2) setup, utilizing close to 90,000 domains in network communication but only 1,300 are real C2 beacons.

“The other 88,000 domains belong to legitimate sites the malware sends malicious traffic to them as well,” CPR says. “This presents security vendors with the dilemma of how to determine which are the real C&C servers and not false-positively identify legitimate sites as malicious.”

As mentioned in the advertisement, the makers of XLoader also provide a Java binder for free, which allows customers to create a standalone JAR file with the Mach-O and EXE binaries used by macOS and Windows.

It appears that potential threat actors in 69 countries, so far, have requested access to the malware, which is managed by a centralized C2 server. Over half of XLoader victims detected so far are in the United States.

XLoader is far more mature and sophisticated than its predecessors, supporting different operating systems, specifically macOS computers,” said Yaniv Balmas, head of cyber research at Check Point. “Historically, macOS malware hasn’t been that common. They usually fall into the category of ‘spyware’, not causing too much damage.”

a2434345d63481a40f0d145881b41013?s=96&d=mm&r=g
Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Unified endpoint management automation software to boost endpoint security

Endpoints are constantly connected to the internet, so they offer a gateway for cyberattacks. Endpoint security is simply the process...

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft also revealed the workings of...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

More Articles Like This