Request a Quote

XLoader Malware Variant Targets MacOS Disguised as OfficeNote App

We Keep you Connected

XLoader Malware Variant Targets MacOS Disguised as OfficeNote App

XLoader Malware Variant Targets MacOS Disguised as OfficeNote App
Your email has been sent
A new variant of malware called XLoader is targeting macOS users. XLoader’s execution, functionalities and distribution are detailed.
A new report from cybersecurity company SentinelOne shows how the XLoader malware evolved. This information stealer malware has targeted macOS since 2015, but it was recently updated. It now pretends to be an Office application, so it can infect users’ machines and steal information from their clipboards and browsers.
Jump to:
XLoader is an information stealer and keylogger malware-as-a-service first reported by SentinelOne in 2021. However, the malware was developed from the source code of Formbook, an information stealer malware and keylogger that was active between 2015 and 2021. While Formbook only targeted Microsoft Windows operating systems, XLoader started targeting Windows and macOS.
The first versions of XLoader needed the Java Runtime Environment to be executed successfully. Since Apple stopped shipping JRE on macOS years ago, it has been less effective than other malware, although many users on macOS still need JRE for different purposes and have it installed on their systems.
SentinelOne’s researchers Dinesh Devadoss and Phil Stokes report that XLoader has returned in a new form and without those Java dependencies. The new code is written in C and Objective C programming languages and signed with an Apple developer signature from “Mait Jakhu” (Figure A).
Figure A
The signature date is July 17, 2023, but it has since been revoked by Apple. This means that if a user tries to execute the file on a Mac, the operating system will show a warning about it (Figure B) and will not execute it.
Figure B
The XLoader malware has the ability to steal passwords from many browsers on Windows and Mac, yet its Mac version is limited to stealing passwords from Google Chrome and Mozilla Firefox and stealing content from the computer’s clipboard. It has anti-debug capabilities and uses sleep commands to try to prevent it from being analyzed by automated security solutions.
Once XLoader is launched, it shows an error indicating the software does not work, while silently dropping its payload and installing persistence in the background.
The malware creates a hidden folder in the user’s home directory and builds an executable inside that folder, using randomized names for both the folder name and the application. A LaunchAgent is also dropped in the same folder and used for persistence.
XLoader then tries to disguise its real command-and-control server by sending dummy network calls to approximately 200 servers unrelated to the malware.
The malware samples discovered by SentinelOne are named OfficeNote.app and pretend to be Office applications by showing an icon impersonating Microsoft Word. XLoader is delivered as a standard Apple disk image named OfficeNote.dmg.
The researchers noted that multiple submissions of the new XLoader malware sample appeared throughout July 2023 on the VirusTotal platform, which is a system dedicated to running multiple antivirus engines on submitted files. This is a sign that the malware has been widely distributed in the wild.
The new XLoader is being advertised in cybercriminals’ underground forums for $199 USD per month or $299 USD per quarter for its Mac version, while the Windows version is cheaper at $59 USD per month or $129 USD per quarter.
The dashboard accessible to XLoader customers is shown as a screenshot in underground forums to give cybercriminals insight into its functionalities and ease of use.
The way the Apple disk image is delivered to users is unknown; the most common methods for such file delivery are via email campaigns, direct downloads from untrusted locations or via social media platforms or instant messaging. In order to protect your business from this XLoader malware threat, it is strongly advised to:
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
XLoader Malware Variant Targets MacOS Disguised as OfficeNote App
Your email has been sent
Your message has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
Microsoft is also running a grant competition for ideas on using AI training in community building.
Generative AI will be a game changer in cloud security, especially in common pain points like preventing threats, reducing toil from repetitive tasks, and bridging the cybersecurity talent gap.
Does your business need a payroll provider that offers international payroll services? Use our buyer’s guide to review the best solutions, from ADP to Oyster.
Get up and running with ChatGPT with this comprehensive cheat sheet. Learn everything from how to sign up for free to enterprise use cases, and start using ChatGPT quickly and effectively.
Looking for an alternative to monday.com? Our comprehensive list covers the best monday alternatives, their key features, pricing, pros, cons and more.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Virtualization allows for applications, operating systems and networks to be operated in a logical ‘sandbox,’ reducing the need for physical hardware. The host platform for virtualized resources can be located on-premises or provided by a cloud services operator, such as AWS, Microsoft Azure or Google Cloud. This policy from TechRepublic Premium provides guidelines for implementing …
With the growing importance of big data for businesses, the need for database programs that are adaptable and scalable has become a priority. Enter MongoDB, an open-source database program that can accommodate a variety of programming languages. This hiring kit from TechRepublic Premium provides a framework you can use to successfully find the best candidate …
This policy provides guidelines for the appropriate use of electronic communications. It covers topics such as privacy, confidentiality and security; ensures electronic communications resources are used for appropriate purposes; informs employees regarding the applicability of laws and company policies to electronic communications; and prevents disruptions to and misuse of company electronic communications resources, services and …
In a competitive global business environment, where the marketplace is defined as anyone and everyone with an internet-connected device, effective e-commerce capabilities are a necessity for successful businesses, regardless of size or industry. Businesses that do not have an efficient and effective e-commerce presence operate at a distinct disadvantage. These guidelines and the accompanying file …

source

 

Enterprise Guardian (EnGuard) specializes in HIPAA Compliant Email for the Healthcare Industry.
HIPAA Compliant Email, Telehealth & Cloud Made Easy.

 

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE