Clement Brako Akomea Table of Contents
New XLoader macOS Malware Disguised as ‘OfficeNote’ App: A fresh variant of the macOS-targeting XLoader malware has emerged, camouflaging itself as the legitimate ‘OfficeNote’ productivity app.
This devious scheme has been uncovered by SentinelOne security researchers, revealing a sophisticated approach by cybercriminals.
Key Takeaways on New XLoader macOS Malware
- A new iteration of XLoader malware, posing as ‘OfficeNote,’ has been detected in the wild.
- This malware variant overcomes previous limitations by using programming languages such as C and Objective C.
- XLoader’s primary goal is to steal clipboard data and browser-related information, putting macOS users at risk.
Unmasking the Deceptive XLoader Variant
A novel threat has surfaced in the macOS ecosystem as a deceptive variant of the XLoader malware disguises itself as a legitimate office productivity application named ‘OfficeNote.’ SentinelOne’s security researchers, Dinesh Devadoss and Phil Stokes, have unveiled this insidious disguise.
The application is concealed within a standard Apple disk image, bearing the name ‘OfficeNote.dmg’ and is signed with the developer’s signature ‘MAIT JAKHU (54YDV8NU9C).’
XLoader: A Persistent Threat
XLoader is not a newcomer; it was initially detected in 2020 and is viewed as a successor to Formbook, operating under the malware-as-a-service (MaaS) model. While a macOS variant emerged in July 2021, it faced a limitation due to macOS not natively supporting Java Runtime Environment.
However, the latest iteration of XLoader bypasses this barrier by adopting programming languages like C and Objective C. Notably, the disk image file received its signature on July 17, 2023, though Apple has since revoked it.
Widespread Campaign Alert
SentinelOne has identified numerous submissions of this malware variant on VirusTotal throughout July 2023, indicating a widespread campaign. Intriguingly, advertisements on criminal forums offer the Mac version for rent at a relatively high cost, signaling the cybercriminals’ focus on macOS users in a working environment.
Operation and Persistence
Upon execution, the disguised ‘OfficeNote’ application displays an error message claiming it “can’t be opened because the original item can’t be found.” In reality, it quietly installs a Launch Agent in the background, ensuring persistence on the compromised system.
Data Theft and Evasion Tactics
XLoader’s primary function is to pilfer clipboard data and data from directories associated with web browsers like Google Chrome and Mozilla Firefox. Safari, however, remains untargeted. To avoid detection, the malware employs various evasion techniques, including sleep commands to delay execution.
Ongoing Threat to macOS Users
In conclusion, XLoader remains a significant threat to macOS users and businesses. This latest iteration, posing as an office productivity application, underscores the malware’s adaptability and persistence. It seeks to steal critical browser and clipboard data, which can then be exploited or sold to other threat actors for further malicious activities.
About SentinelOne:
SentinelOne is a prominent cybersecurity firm specializing in protecting organizations from evolving digital threats. Their research uncovers and analyzes cybersecurity risks, offering insights to enhance digital security measures.
