A newly identified variant of Apple macOS malware, known as XLoader, has been discovered in the wild, cleverly disguised as a productivity application named “OfficeNote.” This development raises significant concerns for users in professional environments, as the malware specifically targets sensitive information.
The exploit utilizes a password-protected disk image labeled OfficeNote.dmg. According to SentinelOne researchers Dinesh Devadoss and Phil Stokes, this particular iteration of XLoader is signed with a developer certificate belonging to MAIT JAKHU (54YDV8NU9C). Such signing can add a veneer of legitimacy, making it increasingly difficult for users to discern the malicious intent embedded within.
XLoader, which first emerged in 2020, is recognized as a successor to the infamous Formbook malware. It operates as an information stealer and keylogger following the malware-as-a-service (MaaS) model. A macOS variant originally surfaced in July 2021 but was distributed as a Java program, requiring the Java Runtime Environment (JRE) for execution. Notably, since Apple halted the inclusion of JRE with Mac systems over a decade ago, the authors of this new variant have successfully pivoted to using programming languages like C and Objective C, thereby bypassing previous restrictions. This latest version, whose disk image file was signed on July 17, 2023, has since had its signature revoked by Apple, a step that underscores the ongoing cat-and-mouse game between cybersecurity defenses and malware developers.
During July 2023, a high volume of submissions of this artifact was detected on VirusTotal, indicating a widespread campaign targeting macOS users. The researchers noted that the malware can be obtained from crimeware forums for rental, with offerings priced at $199 for one month or $299 for three months. These costs are substantially higher than those associated with Windows versions of XLoader, which attract a rent of $59 per month or $129 for three months, underscoring the appeal and market demand for macOS attacks.
Upon execution, OfficeNote generates a misleading error message claiming that it “can’t be opened because the original item can’t be found.” This ruse serves as a distraction while the application stealthily installs a Launch Agent in the background, establishing persistence on the infected system. This method highlights the intricacies involved in crafting malware that mimics legitimate software to achieve its goals without raising alarms.
Once activated, the XLoader malware effectively captures clipboard data and gathers sensitive information from directories tied to web browsers such as Google Chrome and Mozilla Firefox. It is important to note that Apple’s Safari browser is not targeted. The malware additionally incorporates evasion techniques, employing sleep commands to delay execution and minimize detection by security solutions.
The emergence of this variant signifies an ongoing threat to macOS users and businesses alike. With its camouflage as a harmless office productivity application, XLoader demonstrates a clear intent to infiltrate work environments, aiming to extract browser data and clipboard contents that could be exploited or sold to other malicious actors for future attacks.
In dissecting the tactics involved, one may reference the MITRE ATT&CK framework, which could categorize components of this attack under initial access techniques such as using external remote services, persistence through the creation of Launch Agents, and data collection through clipboard data grabbing and web browser information extraction. These tactics reflect the sophisticated strategies employed by adversaries in crafting attacks designed to evade detection while maximizing their impact on targets. As such, it remains critical for business owners and cybersecurity professionals to stay informed and vigilant against evolving threats in the landscape.
