$49 malware receives major upgrade to strike both Windows and macOS PCs

The new family stems from Formbook, an old but prevalent malware strain.
Written by Charlie Osborne, Contributing Writer

Researchers have spotted a cheap malware variant, once focused on Windows machines, that has been upgraded to infect Mac PCs.

On Wednesday, Check Point Research (CPR) said the malware, dubbed "XLoader," originates from a Windows-based variant known as Formbook. 

Formbook was once available in underground forums for as little as $29 a week on a subscription basis. However, this malware was pulled from sale roughly four years ago by the developer, known as ng-Coder, and did not reappear until 2020 -- while also bearing the new name XLoader. 

It should be noted, however, that although sales ended, Formbook remains a prevalent threat in the wild. 

CPR has been analyzing the malware over the past six months. The researchers have found the same code base as Formbook is in play, but substantial changes have been implemented by the developer -- including new capabilities for compromising macOS systems.

Infection chains begin through phishing, in which spoofed emails contain malicious attachments such as weaponized Microsoft Office documents laden with the malware. 

XLoader is monitoring software with remote access capabilities, keystroke logging, the ability to take screenshots, and also perform data exfiltration such as the theft of account credentials. In addition, the malware has an extensive command-and-control (C2) setup, utilizing close to 90,000 domains in network communication -- but only 1,300 are real C2 beacons. 

"The other 88,000 domains belong to legitimate sites the malware sends malicious traffic to them as well," CPR says. "This presents security vendors with the dilemma of how to determine which are the real C&C servers and not false-positively identify legitimate sites as malicious."

XLoader has been made available in underground forums under license for between $59 and $129, depending on the time period of subscription and whether they want a Windows or macOS version.  


CPR has found links between ng-Coder and the xloader forum user, the latter of which is thought to just be a seller.

It appears that potential threat actors in 69 countries, so far, have requested access to the malware, which is managed by a centralized C2 server. Over half of XLoader victims detected so far are in the United States. 

"While there might be a gap between Windows and macOS malware, the gap is slowly closing over time," commented Yaniv Balmas, Head of Cyber Research at CPR. "The truth is that MacOS malware is becoming bigger and more dangerous. Our recent findings are a perfect example and confirm this growing trend."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards