- Learn a new language with Babbel for 69% off
- How to upgrade your 'incompatible' Windows 10 PC to Windows 11: Two options
- Wiping a Windows laptop? Here's the safest way to erase your personal data - for free
- From Burnout to Balance: How AI Supports Cybersecurity Professionals
- Microsoft to start charging for Windows 10 updates next year. Here's how much
XLoader MacOS Malware Variant Returns With OfficeNote Facade
The notorious XLoader malware has resurfaced, posing as a seemingly innocuous office productivity app named “OfficeNote.”
Known for its malicious activities since 2015, XLoader started targeting macOS systems in 2021, leveraging Java dependencies for its operation. However, according to an advisory published by SentinelOne on Monday, this new iteration is self-sufficient, programmed in C and Objective C languages, and carries a legitimate Apple developer signature.
“The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg,” SentinelOne security researchers Dinesh Devadoss and Phil Stokes wrote.
“This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment.”
Upon execution, the disguised OfficeNote app employs an error message diversion tactic while stealthily planting its payload and establishing persistence mechanisms, the researchers explained.
Read more on XLoader: MalVirt Loaders Exploit .NET Virtualization to Deliver Malvertising Attacks
This variant maintains its notorious focus on stealing sensitive data from users’ clipboards, particularly from Chrome and Firefox browsers, while evading scrutiny with obfuscated network connections and anti-analysis measures.
“MacOS allows the execution of Apple-approved developer signatures when downloaded from the internet,” explained Duncan Miller, endpoint security director at Tanium.
“In this case, the developer was Apple-approved, showing the feature’s limitations. This highlights the importance of monitoring application signatures executed in the environment and reviewing the used signatures regularly.”
SentinelOne has uncovered widespread distribution of this new variant via online criminal forums, offered for rent at unusually high rates of $199/month or $299/3 months.
“The evolution of XLoader’s distribution mechanism from being Java-dependent to harnessing a native MacOS platform stands as a stark testament to the ever-adapting landscape of cybersecurity threats,” warned Callie Guenther, cyber-threat research senior manager at Critical Start.
“Their commitment to evolving their tools and methodologies serves as a potent reminder that in the world of cybersecurity, complacency is not an option, and the pursuit of robust defenses is a relentless endeavor.”
Experts recommend vigilance among macOS users, emphasizing the urgency of deploying reliable third-party security solutions to thwart this persistent threat.
Editorial image credit: Farknot Architect / Shutterstock.com