Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Productivity Apps. Show all posts

XLoader macOS Malware Variant Disguised as 'OfficeNote' Productivity App

 

A fresh variant of the Apple macOS malware known as XLoader has emerged, disguising its malicious intent through an office productivity app named "OfficeNote," according to cybersecurity experts from SentinelOne. 

In an analysis released on Monday, researchers Dinesh Devadoss and Phil Stokes revealed that the new form of XLoader is packaged within a regular Apple disk image, named OfficeNote.dmg. The application it contains bears the developer signature "MAIT JAKHU (54YDV8NU9C)."

XLoader, initially spotted in 2020, is categorized as an information stealer and keylogger that operates under the malware-as-a-service (MaaS) model. 

It follows in the footsteps of Formbook. While a macOS variant of XLoader emerged in July 2021, distributed as a Java program in the form of a compiled .JAR file, its execution was limited by the absence of the Java Runtime Environment in modern macOS installs.

To circumvent this constraint, the latest version of XLoader employs programming languages like C and Objective C. The disk image file carrying the malware was signed on July 17, 2023, a signature that has since been revoked by Apple.

SentinelOne reported discovering multiple instances of the malicious artifact on VirusTotal throughout July 2023, indicating a wide-reaching campaign. The researchers noted that the malware is advertised for rent on criminal forums, with the macOS version priced at $199 per month or $299 for three months.

Interestingly, this pricing is steeper than that of the Windows versions of XLoader, which are available for $59 per month or $129 for three months.

Once initiated, the seemingly harmless OfficeNote app displays an error message claiming it cannot be opened due to a missing original item. In reality, it surreptitiously installs a Launch Agent in the background to ensure its persistence.

XLoader's functionality centers around the collection of clipboard data and information stored within directories associated with web browsers like Google Chrome and Mozilla Firefox. However, Safari appears to be exempt from its targeting. 

Additionally, the malware is engineered to introduce sleep commands, delaying its execution and evading detection by both manual and automated security measures.

"XLoader continues to present a threat to macOS users and businesses," the researchers concluded.

"This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment. The malware attempts to steal browser and clipboard secrets that could be used or sold to other threat actors for further compromise."