XLoader malware attacks Mac users, collects login information, takes screenshots

According to CPR, XLLoader is a new strain of the famous Frombook malware that mainly targets Windows users. However, as of 2018 Frombook is no longer for sale by its author on the dark web.

In 2020, Frombook returns with a new name, XLLoader. Over the past 6 months, XLLoader has been rampant and not just targeting Windows anymore. XLoader caught CPR by surprise when it hit Mac users as well.

Another special feature is that XLLoader is sold on the Darknet for as low as 49 USD. Hackers who own XLLoader can deploy it to collect logins, collect screenshots, log keystrokes, and run other malicious files.

Victims are tricked into downloading XLLoader through fake emails that include Microsoft Office documents containing malicious code.

CPR shared that Mac computer owners are often complacent that macOS is more secure than Windows, so it is difficult to get infected with malicious code. However, now more and more malware is targeting macOS with increasing danger.

macOS is becoming more and more popular, so cybercriminals are more and more interested in this platform. After XLoader, there will be other malicious codes targeting Mac users.

To check if your Mac is infected with XLoader, you can follow these steps:

• Access directory: /Users/[username]/Library/LaunchAgents
• Check for files with suspicious names in this directory, for example a file with a random name like this: /Users/user/Library/LaunchAgents/com.wznlVRt83Jsd.HPyT0b4Hwxh.plist

Like other malicious code, to reduce the risk of XLoader infection, you should avoid accessing untrusted websites, be careful with attachments.