Scary ‘malware-as-a-service’ Mac attack discovered

Another day, and it’s time for another Apple security scare: malware that can harvest keystrokes and log-ins and is available on the Darknet for only $49.

Malware-as-a-service for Mac attacks

Check Point Software’s research team claims to have identified the hack, which it is calling XLoader. Enterprise security specialists managing Macs and Apple devices (of which there are many) need to be aware of the new attack, as we’re told it can:

• Harvest logins from browsers.
• Collect screen shots.
• Log Keystrokes.
• Download and execute malicious files.

The hack is being sold as a kind of “malware-as-a-service” for around $49 on Darknet, the researchers said. Hackers in 69 nations have requested it, and 53% of those to have fallen victim to it are based in the US.

The attack vector’s simple: Victims are tricked into downloading the malware using maliciously crafted Word documents.

Showing a little Formbook

XLoader is derived from an existing Windows malware called Formbook, which is the fourth-most prevalent malware family. Formbook has seen use in broad spam campaigns aimed at larger global organizations. (Somewhat confusingly, there’s also an Android malware called XLoader, which isn’t the same thing.)

“Historically, MacOS malware hasn’t been that common,” said Yaniv Balmas, head of cyber research at Check Point Software in a statement. “They usually fall into the category of ‘spyware,’ not causing too much damage. I think there is a common incorrect belief with MacOS users that Apple platforms are more secure than other more widely used platforms. While there might be a gap between Windows and MacOS malware, the gap is slowly closing over time. The truth is that MacOS malware is becoming bigger and more dangerous.”

This is true, of course. But at least one survey shows that despite the growing security threat, most enterprises see the Mac as the most secure platform out of the box.

For hackers, Mac opportunity knocks

Apple has a growing enterprise market share, which means its platforms are seen as a potentially rewarding target. To be fair, it is also working constantly to make its platforms a tougher nut to crack.

“Our recent findings are a perfect example and confirm this growing trend,” said Balmas. “With the increasing popularity of MacOS platforms, it makes sense for cyber criminals to show more interest in this domain, and I personally anticipate seeing more cyber threats following the Formbook malware family. I would think twice before opening any attachments from emails I get from senders I don’t know.”

Apple’s software engineering chief, Craig Federighi, recently argued that Macs aren’t yet as secure as iOS devices: “iOS has established a dramatically higher bar for customer protection,” he said. “The Mac is not meeting that bar today.”

The Apple exec also confirmed that the scale of Mac malware is accelerating. More than 130 different malware items have affected as many as 300,000 Macs, he said. A recent Atlas VPN investigation claimed 670,273 new malware samples were identified in 2020, compared to 56,556 in 2019.

Worry, don’t worry

With approximately 200 million users running macOS in 2018 (as reported by Apple), the Mac is a promising market for malware. Apple recognizes this, of course, as does the wider Apple ecosystem.

MDM vendors such as Jamf are developing smart software solutions to protect Mac platform security, though it’s worth noting that human error is again the main way this malware infects target systems. Users must open infected Word documents to inject the malware into their Macs, so the user remains the weakest link in the security chain.

Users are the main attack vector on every platform, which is why every enterprises should invest in security awareness and response training for all staff, and foster a culture in which mistakes, once made, are swiftly and non-punitively disclosed and responded to.

How to prevent Xloader

Xloader uses a typically classic “infection through dodgy Word document” attack vector, which means it can also be mitigated against through the traditional approach to security protection:

• Don’t open suspicious attachments from people you don’t know.
• Don’t visit websites you do not trust.
• Do use third-party protection software.

How to detect Xloader

The researchers claim that one way a Mac user can check for this malware on their system is as follows:

• Use the Go item in the Finder menu
• Select Go to Folder…
• Write: Users/yourusername/Library/LaunchAgents to open the LaunchAgents folder
• If you see a suspicious file with a random-seeming name that isn’t clearly identified, drag it to the trash and delete it.

The researchers also recommend installation and use of malware detection software as this will often do a better job of identifying suspicious files.

Also read:

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.