XLoader Malware Targets macOS and Windows Passwords

A notorious malware or stealing information from Windows systems has been modified and upgraded into a new strain named Xloader, which can now also hit macOS computers. Xloader Malware is being sold on a Dark Web forum as a botnet loader that can “recover” passwords from web browsers and some email clients (Chrome, Firefox, Opera, Edge, IE, Outlook,Thunderbird, Foxmail). It is considered MaaS (Malware-as-a-Service). Xloader is derived from Formbook, which gained a reputation as an info-stealer for Windows.

Xloader Malware emerged in February and its popularity skyrocketed. It is advertised by its creators as a cross-platform botnet with no dependencies.

The connection between the two strains was confirmed after a member of the hacking community reverse-engineered Xloader and discovered it had the same executable as Formbook.

The developers explained that the creators of Formbook contributed a lot to Xloader, and the two malware had similar functionality (steal login credentials, capture screenshots, log keystrokes, and execute malicious files).

Would-be hackers can rent the macOS version of Xloader Malware for $49 a month, and get access to a server that the seller provides. Because the authors keep a centralized c2 infrastructure, they can control how the malware is used. This kind of architecture has become more common in an age where malware authors are getting unwanted spotlight when their clients use the product recklessly.

The Windows version, which is more popular, sells for $59 a month, and $129 for three months.

The authors also provide a Java binder for free, which allows customers to create a standalone JAR file with the Mach-O and EXE binaries used by macOS and Windows.

Cybersecurity researchers at CheckPoint saw requests from 69 countries, indicating a significant spread across the globe, with more than half of the victims being in the United States.

Although Formbook is no longer advertised on underground forums, it continues to be a prevalent threat. It was part of at least 1,000 malware campaigns over the past three years and according to AnyRun’s malware trends, the info-stealer takes fourth place over the past 12 months, after Emotet. 

                                   

Judging by how popular Formbook has been, XLoader is likely to even be more prevalent due to it having cross-platform capability.

CheckPoint researchers say that XLoader Malware is stealthy enough to make it difficult for a regular, non-technical user to spot it.

Yaniv Balmas, Head of Cyber Research at Check Point Software, says that XLoader Malware is “is far more mature and sophisticated than its predecessors [i.e. Formbook].”

macOS’s growing popularity exposed it to unwanted attention from cybercriminals, who are now seeing the OS as an attractive target.

“While there might be a gap between Windows and MacOS malware, the gap is slowly closing over time. The truth is that MacOS malware is becoming bigger and more dangerous”, Balmas said.

The researcher believes that more malware families will adapt and add macOS to the list of supported operating systems.

XLoader Malware Analysis

Note: This Analysis was carried out by VMray. The analysis was focused on Formbook, but the code base is mostly identical.

XLoader Malware uses multiple techniques to evade automatic analysis and debugging. Combined with an evasive packer it has fairly comprehensive methods at its disposal. We can observe that the packer detects attached debuggers using CheckRemoteDebuggerPresent and IsDebuggerPresent function calls. It also tries to detect VirtualBox and VMware. If the checks pass the actual payload is extracted. Otherwise, the execution stops and the process exits before the explorer.exe injection.

Analysts often rename the sample to their hash values and such a hash is usually 32 characters or longer. One of the other evasions used by XLoader Malware is verifying that the length of the sample’s name is less than 32 characters.

To circumvent the behavior monitoring of sandboxes that relies on hooking, XLoader Malware uses a technique its author(s) referred to as Lagos Island method. These sandboxes typically establish hooks on functions exported by the native dll (ntdll.dll) to intercept the control flow and log the behavior.

Instead of using API functions exported by an already loaded ntdll, which can contain hooks, a new copy is manually mapped from the filesystem and its functions are used.

XLoader Malware uses a process started from a Windows built-in tool to hide itself. We notice the usual pattern it uses to achieve the migration. First, process #6 injects a section into explorer.exe using a combination of the function NtOpenProcess, NtCreateSection and NtMapViewOfSection.

Subsequently, the injected code is executed by hijacking the process #7 explorer.exe’s main thread. This injected code starts execution by creating a new process of C:\Windows\SysWOW64\netsh.exe which is a Windows tool. After finishing, process #6 uses the same injection method as with process #7, explorer.exe, to map itself and migrate into process #8 netsh.exe

XLoader Malware intercepts the Windows Messaging System by hooking API functions in the injected processes which allows it to monitor keystrokes.