Friday, July 23, 2021

Formbook malware Upgraded as an XLoader malware to Attack macOS Systems

Must Read

Cloudflare launches Page Shield For Magecart card skimming attacks

Cloudflare has launched new web security service to prevent Magecart-style attacks. Magecart is an umbrella term used to describe attacks...

UK police warn of sexual harassment in intimate online dating chats

There are people out there who are trying to take advantage of the only way to date during the...

New Law to Track Down on Fraudulent Foreign Firms Listed in the US

The House of Representatives has passed a new bill designed to stop fraudulent overseas firms listed on US stock...

Researchers have spotted an upgraded malware variant of Formbook malware which is now Upgraded as an XLoader malware to Attack macOS Systems.

Cybersecurity researchers on Wednesday disclosed details of an evolving malware that has now been upgraded to steal sensitive information from Apple’s macOS operating system.

XLoader is currently being offered on an underground forum as a botnet loader service that can “recover” passwords from web browsers and some email clients (Chrome, Firefox, Opera, Edge, IE, Outlook, Thunderbird, Foxmail).

XLoader is a successor version of Formbook Malware which is a well-known Windows-based info stealer.

XLoader licenses start at $49: a price that will get even the most inexperienced and poorly funded cyberattackers a tool that they can use to harvest log-in credentials, collect screenshots, log keystrokes and execute malicious files.

The advertiser explained that Formbook’s developer contributed a lot to creating XLoader, and the two malware had similar functionality (steal login credentials, capture screenshots, log keystrokes, and execute malicious files).

Infection chains begin through phishing, in which spoofed emails contain malicious attachments such as weaponized Microsoft Office documents laden with malware.

While the very first Formbook samples were detected in the wild in January 2016, the sale of the malware on underground forums stopped in October 2017, only to be resurrected more than two years later in the form of XLoader in February 2020. In October 2020, the latter was advertised for sale on the same forum which was used for selling Formbook, Check Point said.

In addition, the malware has an extensive command-and-control (C2) setup, utilizing close to 90,000 domains in network communication but only 1,300 are real C2 beacons.

“The other 88,000 domains belong to legitimate sites the malware sends malicious traffic to them as well,” CPR says. “This presents security vendors with the dilemma of how to determine which are the real C&C servers and not false-positively identify legitimate sites as malicious.”

As mentioned in the advertisement, the makers of XLoader also provide a Java binder for free, which allows customers to create a standalone JAR file with the Mach-O and EXE binaries used by macOS and Windows.

It appears that potential threat actors in 69 countries, so far, have requested access to the malware, which is managed by a centralized C2 server. Over half of XLoader victims detected so far are in the United States.

XLoader is far more mature and sophisticated than its predecessors, supporting different operating systems, specifically macOS computers,” said Yaniv Balmas, head of cyber research at Check Point. “Historically, macOS malware hasn’t been that common. They usually fall into the category of ‘spyware’, not causing too much damage.”

a2434345d63481a40f0d145881b41013?s=96&d=mm&r=g
Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News

OAIC: Uber found to have interfered with the privacy of over 1.2 million Australians

The Office of the Australian Information Commissioner (OAIC) has determined that Uber Technologies, Inc. and Uber B.V. have interfered...

Over 80 US Municipalities data are exposed due to Misconfigured Amazon S3

A team of Cybersecurity researchers at Wizcase found major data exposure of Over 80 US Municipalities due to the Misconfigured Amazon S3 Bucket. This happened...

Formbook malware Upgraded as an XLoader malware to Attack macOS Systems

Researchers have spotted an upgraded malware variant of Formbook malware which is now Upgraded as an XLoader malware to Attack macOS Systems. Cybersecurity researchers on...

Millions of HP, Samsung, Xerox Printers are Vulnerable to 16 year old bug

A 16-year-old security vulnerability affects Millions of HP, Samsung, Xerox Printers Driver allows attackers to gain admin rights on systems using the vulnerable driver...

MosaicLoader malware targets cracked software via SEO poisoning

New MosaicLoader malware targets users that are searching to download cracked software. Cybercriminals run ad campaigns in search engine results to boost their malicious...

More Articles Like This