Jamf Blog
Intersection of four buildings, forming an
July 27, 2021 by Stuart Ashenbrenner

XLoader offers new macOS malware-as-a-service

New malware variant XLoader, targets endpoints using innovative malware-as-a-service platform, customizing malware delivery to macOS devices.

In a recent report, Check Point Research unveiled a new variant of malware infecting macOS. Originally detected in the Windows environment as Formbook, it has since added a mach-o binary along side the Windows executable and has been renamed to XLoader.

The XLoader malware is made available by resellers in a hosted, malware-as-a-service offering for as low as $49 dollars. It requires minimal technical expertise to operate, which has likely contributed to its reputation as one of the most ubiquitous malware families currently in the wild. According to a detailed analysis by SentinelOne, one the primary goals of the malware is to steal credentials in addition to recording keystrokes.

Screenshot of the XLoader installation page.

In its earliest iteration, XLoader (Formbook) was intended to be a simple keylogger/spyware. While not highly sophisticated, its ability to capture network traffic, clipboard data, and passwords has broadened its appeal and usefulness. Check Point Research discovered forum posts with the macOS variant of XLoader being offered as early as October 2020. It is currently unknown how extensive macOS XLoader campaigns have been since that time.

The macOS variant of this malware can be either a compiled binary or a .jar file. It is likely that the developers of the malware used the .jar file form of distribution in order to target more than just the Windows environment, in this case, macOS. One point to note on distributing malware via a .jar file is the necessity to have the Java Runtime Environment (JRE) installed locally. Java is not installed out-of-the-box on macOS but is still used by many different pieces of software, as well as by many organizations.

Upon execution of the .jar file, the malware drops a .ico file into the user’s home directory. The .ico file extension is used for Windows icon file. This type of file, in this case resembling the Microsoft Word document icon, will open up the icon in the user’s default image viewer, like Preview.app on macOS.

The file itself appears benign, as the malware does not require any user interaction to continue to infect the user. This is a strange approach by the attackers, as it doesn’t seem to serve any functional purpose. If the user were to inspect this file, it would likely be a dead giveaway that something is awry. This is a strong indicator that the malware is in an early stage of its macOS development by it authors. XLoader establishes persistence by placing a plist file in the LaunchAgent directory that points to a hidden app bundle, also in the home directory.

XLoader takeaways

While XLoader has shown sophistication in its attempts to steal keystrokes and credentials, it has also demonstrated immaturity with its approach to infecting macOS. It will likely see development in the future to flesh out incomplete features and better evade detection.

Jamf Protect already detects and prevents the execution of the XLoader malware as MacOS.Adware.Xloader. The Jamf Protect team will continue to track and monitor the spread and evolution of this malware, including additional malware detection mechanisms as needed. Currently, no instances of this malware have been detected in the wild.

See for yourself how Jamf Protect's purpose-built, endpoint security keeps your devices safe

Contact us today to request a trial, or speak with your preferred Apple reseller.

Stuart Ashenbrenner
Other authors:
Matt Benyo
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.