A macOS variant of the known XLoader malware has resurfaced, masking its information-stealing capabilities under the guise of an office productivity application called “OfficeNote,” researchers warn.
XLoader has been around since 2015 and a macOS version of the malware was first observed in 2021. This initial variant was distributed as a Java program, limiting the malware's spread because Java Runtime Environment hasn’t shipped on macOS by default for more than a decade.
However, the newest macOS variant of XLoader "has returned in a new form and without the dependencies," according to SentinelOne’s SentinelLabs researchers on Monday. Researchers observed multiple submissions of this most recent sample on VirusTotal in July, hinting that the malware has been distributed widely.
"This version of XLoader represents a step-up from the last time we saw an XLoader variant targeting macOS," said Phil Stokes with SentinelLabs. "Although I wouldn’t describe it as ’sophisticated’ by any means it is functional and works as intended. The fact that the developer or distributor has bothered to sign it with an Apple Developer ID suggests they are actively engaged in trying to improve their chances of success against macOS targets."
Researchers said that the newest version of the malware is written in the C and Objective-C programming languages, and is bundled in a standard Apple disk image called OfficeNote.dmg, complete with a now-revoked application signature (the application was signed on July 17, but Apple has since revoked the signature).
“Despite that, our tests indicate that Apple’s malware blocking tool, XProtect, does not have a signature to prevent execution of this malware at the time of writing,” said researchers.
After the malware is executed, it shows the victim an error message saying the application is non-functional; however, in the background XLoader is installing the payload, in addition to LaunchAgent for persistence. The malware also attempts to evade analysis, using sleep commands to delay behavior (to thwart automated analysis tools), for instance.
“XLoader uses a variety of dummy network calls to disguise the real C2,” said researchers. “We observed 169 DNS name resolutions and 203 HTTP requests. Among the many contacted hosts the malware reaches out to are the following suspicious or malicious IP addresses.”
The XLoader variant also leverages several techniques that were used by previous versions. For instance, the error message that it throws to victims is hardcoded using a stack string technique, which previous variants relied on. The LaunchAgent that is dropped in the Library folder at the start of the attack is also similar to one used by previous versions of the malware, which provides a “start” value to the executable so that the binary can differentiate between the first and subsequent runs.
Once downloaded, XLoader aims to steal login data from various browsers and clipboards. Researchers said this data could be sold to other threat actors or used in further compromises.
“As in previous versions, the malware attempts to steal secrets from the user’s clipboard via the Apple API NSPasteboard and generalPasteboard,” said researchers. “It targets both Chrome and Firefox browsers, reading the login.json file located in ~/Library/Application Support/Firefox/Profiles for Firefox and ~/Library/Application Support/Google/Chrome/Default/Login Data for Chrome.”
Over the years, as the market share of macOS devices used by businesses has increased, more threat actors have finetuned their malware to target this platform, as seen with XLoader and other malware families like RustBucket.
"The key to businesses with Macs in their fleet is to ensure they have tools that offer visibility into what is happening on their Mac endpoints as well as additional protection," said Stokes. "As we noted in the blog post, although Apple revoked the signature, they have not updated their built-in malware blocking tool to detect this variant of XLoader, and it’s a simple matter for threat actors to acquire new developer IDs to sign their apps with."