XLoader MacOS Malware Variant Returns With OfficeNote Facade

Written by

The notorious XLoader malware has resurfaced, posing as a seemingly innocuous office productivity app named “OfficeNote.”

Known for its malicious activities since 2015, XLoader started targeting macOS systems in 2021, leveraging Java dependencies for its operation. However, according to an advisory published by SentinelOne on Monday, this new iteration is self-sufficient, programmed in C and Objective C languages, and carries a legitimate Apple developer signature.

“The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg,” SentinelOne security researchers Dinesh Devadoss and Phil Stokes wrote.

“This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment.”

Upon execution, the disguised OfficeNote app employs an error message diversion tactic while stealthily planting its payload and establishing persistence mechanisms, the researchers explained.

Read more on XLoader: MalVirt Loaders Exploit .NET Virtualization to Deliver Malvertising Attacks

This variant maintains its notorious focus on stealing sensitive data from users’ clipboards, particularly from Chrome and Firefox browsers, while evading scrutiny with obfuscated network connections and anti-analysis measures.

“MacOS allows the execution of Apple-approved developer signatures when downloaded from the internet,” explained Duncan Miller, endpoint security director at Tanium.

“In this case, the developer was Apple-approved, showing the feature’s limitations. This highlights the importance of monitoring application signatures executed in the environment and reviewing the used signatures regularly.”

SentinelOne has uncovered widespread distribution of this new variant via online criminal forums, offered for rent at unusually high rates of $199/month or $299/3 months. 

“The evolution of XLoader’s distribution mechanism from being Java-dependent to harnessing a native MacOS platform stands as a stark testament to the ever-adapting landscape of cybersecurity threats,” warned Callie Guenther, cyber-threat research senior manager at Critical Start.

“Their commitment to evolving their tools and methodologies serves as a potent reminder that in the world of cybersecurity, complacency is not an option, and the pursuit of robust defenses is a relentless endeavor.”

Experts recommend vigilance among macOS users, emphasizing the urgency of deploying reliable third-party security solutions to thwart this persistent threat.

Editorial image credit: Farknot Architect / Shutterstock.com

What’s hot on Infosecurity Magazine?