Check Point Research (CPR) sees a new strain of malware that has evolved to steal the information of MacOS users. Named ‘XLoader,’ the new strain is a derivative of the famous ‘Formbook’ malware family, which mainly targeted Windows users, but disappeared from being on sale in 2018. Formbook rebranded to XLoader in 2020. Over the past six months, CPR studied XLoader’s activities, learning that XLoader is prolific, targeting not just Windows, but to CPR’s surprise, Mac users as well. 

Hackers can buy XLoader licenses on the Darknet for as low as $49, equipping them with capabilities to harvest log-in credentials, collect screenshots, log keystrokes, and execute malicious files. Victims are tricked into downloading XLoader via spoofed emails that contain malicious Microsoft Office documents.

This is a potential threat to all Mac users. In 2018, Apple estimated that over 100 million Macs were in use.

CPR tracked Xloader activity between December 1, 2020 and June 1, 2021. It saw XLoader requests from as many as 69 countries. Over half (53 percent) of the victims reside in the United States. The breakdown of victims by country is presented in the bar graph below:

“We see a new strain of malware derived from the original Formbook malware. Named ‘XLoader’, this malware is far more mature and sophisticated than its predecessors, supporting different operating systems, specifically MacOS computers. Historically, MacOS malware hasn’t been that common. They usually fall into the category of ‘spyware’, not causing too much damage. I think there is a common incorrect belief with MacOS users that Apple platforms are more secure than other more widely used platforms. While there might be a gap between Windows and MacOS malware, the gap is slowly closing over time. The truth is that MacOS malware is becoming bigger and more dangerous,” said Yaniv Balmas, Head, Cyber Research, Check Point Software.