A new variant of the macOS-targeting malware XLoader has recently emerged, utilizing a sophisticated disguise as an innocuous office productivity application named “OfficeNote.” Initially detected in 2020, XLoader is part of the malware-as-a-service (MaaS) model, inheriting traits from its predecessor Formbook. This malware functions as an information stealer and keylogger, with a history of targeting both individuals and organizations.
According to the researchers, previous version of XLoader was identified in 2021, distributed as a Java program in the form of a compiled .JAR file. This approach necessitated the presence of the Java Runtime Environment (JRE) for execution, limiting its impact on modern macOS systems where Apple had ceased shipping JRE over a decade ago.
However, the newest iteration of XLoader has ingeniously sidestepped this limitation by transitioning to programming languages like C and Objective C. To add a layer of authenticity, the malicious disk image file was signed on July 17, 2023, though Apple has since revoked the signature in response to the threat.
Evidence suggests a widespread campaign involving this variant, as multiple submissions of the malware artifact were spotted on VirusTotal throughout July 2023. Intriguingly, advertisements on underground forums market the macOS version of XLoader for rent at $199/month or $299/3 months, a relatively steep price point compared to its Windows counterparts.
Once executed, the faux application “OfficeNote” presents a seemingly harmless error message, concealing its true intent. Behind the scenes, it establishes a Launch Agent to ensure persistence on the compromised system.
XLoader’s functionality extends to harvesting clipboard data and information stored within directories associated with prominent web browsers like Google Chrome and Mozilla Firefox. However, the malware curiously refrains from targeting Apple’s own browser, Safari.
The threat actor behind XLoader employs various techniques to thwart analysis, both manual and automated. These include timed sleep commands to delay execution and evade detection. As this new iteration of XLoader masquerades as an office productivity app, it appears to have a specific focus on users in professional settings. The malware’s objective is to collect sensitive browser and clipboard data, which could be either exploited or sold to other malicious actors for further nefarious activities. Given its ongoing evolution and active campaigns, XLoader remains a persistent concern for macOS users and organizations alike.