Bogus OfficeNote app delivers XLoader macOS malware

A new macOS-specific variant of the well known XLoader malware is being delivered disguised as the “OfficeNote” app.

“Multiple submissions of this sample have appeared on VirusTotal throughout July, indicating that the malware has been widely distributed in the wild,” SentinelOne researchers said.

The new XLoader macOS malware variant

XLoader is a malware-as-a-service infostealer and botnet that has been active since 2015, but first appeared as a macOS variant in 2021, written in Java.

“The Java Runtime Environment hasn’t shipped by default on macOS since the days of Snow Leopard, meaning the malware was limited in its targeting to environments where Java had been optionally installed,” SentinelOne researchers explained.

So the malware developers rewrote XLoader for Mac to function without dependencies. “Written natively in the C and Objective C programming languages and signed with an Apple developer signature, XLoader is now masquerading as an office productivity app called ‘OfficeNote’,” they discovered.

XLoader macOS OfficeNote

OfficeNote’s revoked Apple developer signature. (Source: SentinelOne)

That specific Apple developer signature has since been revoked, but XProtect – Apple’s malware blocking tool – still does not block the execution of this particular variant, the researchers said on Monday.

Malware behavior

Once executed, the malware shows a hardcoded error message (“OfficeNote” can’t be opened because the original item can’t be found.) while at the same time covertly installing its malicious payload and persistence agent.

XLoader will then try to steal secrets from the user’s clipboard and login credentials stored by the Chrome and Firefox broswers (but not Safari), while disguising the location of its command and control (C2) server.

“XLoader also attempts to evade analysis both manually and by automated solutions”, the researchers said. “On execution, the malware executes sleep commands to delay behavior in the hope of fooling automated analysis tools. The binaries are stripped and exhibit high entropy in an attempt to similarly thwart static analysis.”

Macs gaining popularity as targets

The growing integration of macOS devices within enterprise environments has significantly heightened their appeal to cybercriminals.

Consequently, cybercriminals are intensifying their efforts to compromise macOS systems, seeking to capitalize on the potential for substantial financial gain.

“XLoader continues to present a threat to macOS users and businesses. This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment,” the researchers concluded.

Don't miss