Israeli security firm Check Point reports that a notorious type of Windows malware has risen from the dead and is now attacking Macs as well.

Back in 2017, when FormBooks were last sold, this Windows information-stealing Trojan was busy logging keystrokes, sniffing passwords from web browsers, taking screenshots, and even downloading and running other forms of malware. Development then stopped for several years until a new variant of this malware appeared in 2020 under a completely new name: XLoader.

According to Check Point, the XLoader variant uses the same core software as FormBook, but has been recompiled to attack Macs and perform the same types of information theft.

It also operates fairly inexpensively, based on the "malware-as-a-service" subscription model of mainstream modern cybercrime; a license for the Mac version of XLoader costs $49 per month, while the Windows version costs $59.

Three-month deals are also available, as well as a Java-based cross-platform "binder," which saves the hassle of maintaining two different versions.

As of this week, Russian security firm AnyRun (cited by ThreatPost) said FormBook/XLoader is the third most prevalent malware strain in the world; an older 2017 version of FormBook was licensed at the time still active because copies of the malware could be purchased instead. [Yaniv Balmas, Check Point's head of research, said in a press statement, "MacOS malware is getting bigger and more dangerous. With the growing popularity of the MacOS platform, it makes sense that cybercriminals would be interested in this area."

According to Check Point, FormBook/XLoader infections have been confirmed in 69 countries worldwide, with just over half (53%) occurring in the U.S. The second most common country is, surprisingly, Hong Kong, with 9% of infections.

This may suggest that the malware is originating in mainland China.

To protect yourself from XLoader/FormBook, install and use antivirus software optimized for Windows 10 or Mac. Be careful about opening email attachments or downloading software from suspicious sources, and scan each installation package with antivirus software before running it. (Check Point recommends that Mac users search the LaunchAgents directory (/Users/username/Library/LaunchAgents) for suspicious files.