Rewterz Threat Alert – XLoader macOS Malware Variation Concealed as ‘OfficeNote’ Productivity Software – Active IOCs

Severity

High

Analysis Summary

A new variant of the macOS-targeting malware XLoader has recently emerged, utilizing a sophisticated disguise as an innocuous office productivity application named “OfficeNote.” Initially detected in 2020, XLoader is part of the malware-as-a-service (MaaS) model, inheriting traits from its predecessor Formbook. This malware functions as an information stealer and keylogger, with a history of targeting both individuals and organizations.

According to the researchers, previous version of XLoader was identified in 2021, distributed as a Java program in the form of a compiled .JAR file. This approach necessitated the presence of the Java Runtime Environment (JRE) for execution, limiting its impact on modern macOS systems where Apple had ceased shipping JRE over a decade ago.

However, the newest iteration of XLoader has ingeniously sidestepped this limitation by transitioning to programming languages like C and Objective C. To add a layer of authenticity, the malicious disk image file was signed on July 17, 2023, though Apple has since revoked the signature in response to the threat.

Evidence suggests a widespread campaign involving this variant, as multiple submissions of the malware artifact were spotted on VirusTotal throughout July 2023. Intriguingly, advertisements on underground forums market the macOS version of XLoader for rent at $199/month or $299/3 months, a relatively steep price point compared to its Windows counterparts.

Once executed, the faux application “OfficeNote” presents a seemingly harmless error message, concealing its true intent. Behind the scenes, it establishes a Launch Agent to ensure persistence on the compromised system.

XLoader’s functionality extends to harvesting clipboard data and information stored within directories associated with prominent web browsers like Google Chrome and Mozilla Firefox. However, the malware curiously refrains from targeting Apple’s own browser, Safari.

The threat actor behind XLoader employs various techniques to thwart analysis, both manual and automated. These include timed sleep commands to delay execution and evade detection. As this new iteration of XLoader masquerades as an office productivity app, it appears to have a specific focus on users in professional settings. The malware’s objective is to collect sensitive browser and clipboard data, which could be either exploited or sold to other malicious actors for further nefarious activities. Given its ongoing evolution and active campaigns, XLoader remains a persistent concern for macOS users and organizations alike.

Impact

• Credential Theft
• Data Theft
• Keystroke Logging

Indicators of Compromise

IP

• 184.168.131.241
• 204.11.56.48
• 216.239.38.21
• 34.102.136.180
• 64.190.62.111
• 64.32.8.70

MD5

• a17bf4533d7ec677a0d4bdae19e41ff2
• 4ded6a1d590e8a31ae6b9ea0ffb3331d

SHA-256

• 97d6b194da410db82d9974aec984cff8ac0a6ad59ec72b79d4b2a4672b5aa8aa
• 81c4276f2e3c0ed456b08402a6a5b63d0cad68220b7a3275b3cbf0ba73faaa21

SHA-1

• 7edead477048b47d2ac3abdc4baef12579c3c348
• b8c0167341d3639eb1ed2636a56c272dc66546fa

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Make sure all of your software, including your operating system and applications, are up-to-date with the latest security patches. This can help prevent vulnerabilities that could be exploited by XLoader and other types of malware.