New Variant of XLoader macOS Malware Disguised as 'OfficeNote' Productivity App

Cyber Security Threat Summary:
A new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called ‘OfficeNote.’ ‘The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg, SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis. "The application contained within is signed with the developer signature MAIT JAKHU (54YDV8NU9C).’ XLoader, first detected in 2020, is considered a successor to Formbook and is an information stealer and keylogger offered under the malware-as-a-service (MaaS) model. A macOS variant of the malware emerged in July 2021, distributed as a Java program in the form of a compiled .JAR file. ‘Such files require the Java Runtime Environment, and for that reason the malicious .jar file will not execute on a macOS install out of the box, since Apple stopped shipping JRE with Macs over a decade ago,’ the cybersecurity firm noted at the time. The latest iteration of XLoader gets around this limitation by switching to programming languages such as C and Objective C, with the disk image file signed on July 17, 2023. Apple has since revoked the signature” (The Hacker News, 2023).

Security Officer Comments:
The latest variant has been widely distributed in the wild, based on multiple submissions appearing on VirusTotal throughout July. Taking a look at crimeware forums, the Mac version is being advertised for rental at $199/month or $299/3 months, which is relatively more expensive than Windows variants, which go for $59/month and $129/3 months. For its part, XLoader is capable of stealing information from the user’s clipboard and targets data stored in both Chrome and Firefox browsers. XLoader is also capable of evading analysis and will attempt to prevent reverse engineering by security professionals.

"On execution, the malware executes sleep commands to delay behavior in the hope of fooling automated analysis tools. The binaries are stripped and exhibit high entropy in an attempt to similarly thwart static analysis,” noted SentinelOne researchers in their blog post.

Suggested Correction(s):
When downloading software online, users should ensure it comes from a reputable source and not from a third-party site. Prior to installation, software should also be scanned by antivirus software which can be instrumental in detecting malicious embedded executables.