A notorious strain of Windows malware has returned from the dead, and now it’s attacking Macs as well, according to a report from Israeli security firm Check Point.
When FormBook was last for sale in 2017, the Windows information-stealing Trojan was busy logging keystrokes, swiping passwords from web browsers, taking screenshots and even downloading and running other forms of malware. Then development stopped for a couple of years until a new strain of the malware emerged in 2020 with a brand-new name: XLoader.
The XLoader variant uses the same core software as FormBook, says Check Point, but it’s been recompiled to attack Macs as well and carry out the same types of information theft.
It’s fairly inexpensive to operate, too, under the “malware as a service” subscription model that dominates modern cybercrime. You can get a license for the Mac version of XLoader for $49 a month; the Windows version goes for $59.
Three-month deals are also available, and there’s even a Java-based cross-platform “binder” that saves you the trouble of maintaining two different versions.
As of this week, said Russian security firm AnyRun (as cited by ThreatPost), FormBook/XLoader was the third most prevalent strain of malware worldwide. The older, 2017 version of FormBook is still active because back then you could buy a copy of the malware outright as an alternative to licensing it.
“MacOS malware is becoming bigger and more dangerous,” said Check Point research head Yaniv Balmas in a press statement. “With the increasing popularity of MacOS platforms, it makes sense for cyber criminals to show more interest in this domain.”
Check Point says it has tracked FormBook/XLoader infections in 69 countries around the world, although a bit more than half — 53% — are in the United States. The country with the second largest chunk is, surprisingly, the Special Autonomous Region, aka Hong Kong, which tracks with 9% of infections.
That may hint that the malware’s origins are in mainland China, which doesn’t show up on Check Point’s list of heavily infected countries.
How to protect your Mac or PC from XLoader
To protect yourself from XLoader/FormBook, install and use some of the best Windows 10 antivirus or best Mac antivirus software. Be wary of opening email attachments or downloading software from suspicious sources, and scan each installation package with the antivirus software before you run it. (You can usually just right-click any file to get the option to scan it.)
Check Point recommends that Mac users take the additional step of searching their LaunchAgents directory (at /Users/your username/Library/LaunchAgents) for suspicious files.