News

Researchers from SentinelOne have uncovered a new variant of the XLoader malware targeting Apple macOS systems. This variant is disguised as an office productivity app named “OfficeNote.” The malicious software is bundled inside a standard Apple disk image file named “OfficeNote.dmg,” and the application within is signed with the developer signature MAIT JAKHU (54YDV8NU9C).

XLoader, a successor to Formbook, is an information stealer and keylogger that operates under the malware-as-a-service (MaaS) model. While the original XLoader was first detected in 2020, a macOS variant appeared in July 2021 in the form of a Java program distributed as a compiled .JAR file.

The previous macOS version required the Java Runtime Environment, making it incompatible with recent macOS versions. However, the latest iteration of XLoader switches to programming languages like C and Objective C. Additionally, the malware’s disk image file was signed on July 17, 2023, but Apple has since revoked the signature.

Multiple submissions of this new XLoader variant were detected on VirusTotal throughout July 2023, indicating a widespread campaign. Criminal forums advertise the Mac version for rental at 9/month or 9/3 months, which is relatively expensive compared to the cost of Windows variants.

Once executed, OfficeNote displays an error message claiming it can’t be opened because the original item can’t be found. However, it secretly installs a Launch Agent in the background for persistence. XLoader is designed to harvest clipboard data and information stored in directories associated with web browsers like Google Chrome and Mozilla Firefox. It does not target Safari.

To evade analysis, the malware incorporates techniques to avoid manual and automated detection. It runs sleep commands to delay its execution and avoid raising suspicion.

The researchers warn that XLoader remains a threat to macOS users and businesses. The fact that this new variant masquerades as an office productivity app suggests that it primarily targets users in working environments. The stolen browser and clipboard data could be sold or used by other threat actors for further compromise.

Please note that rewritten content is human-generated and may not be 100% accurate.

The post New Variant of XLoader Malware Disguised as OfficeNote App Detected on macOS appeared first on satProviders.