XLoader malware Attacking macOS Users Disguised as Signed OfficeNote App

XLoader has been serving as a particularly persistent and adaptable threat since 2015. With its roots deeply ingrained in the digital landscape, XLoader has undergone a transformative evolution that demands the attention of security experts. 

In this comprehensive analysis, SentinelOne dissects the latest iteration of XLoader—a macOS variant posing as the innocuous ‘OfficeNote’ app. 

This new version, developed natively in C and Objective C programming languages, flaunts its insidious sophistication through strategic distribution, intricate obfuscation techniques, and advanced evasion maneuvers. 

XLoader’s Deceptive Distribution:

Bundled within an Apple disk image named ‘OfficeNote.dmg,’ the malware leverages the guise of an office productivity application to cloak its true intentions. 

Notably, the application is signed with the developer’s signature, ‘MAIT JAKHU (54YDV8NU9C)’—a seemingly legitimate touch that adds an extra layer of deception.

Signature Revocation and Testing:

Since the application was signed on 17 July 2023, Apple has revoked the signature associated with the application.

OfficeNote app
Office Notes revoked Apple Developer signature

It is alarming that at the time of writing, Apple’s malware-blocking tool, XProtect, remained powerless to prevent the malware’s execution. 

This finding underscores the urgency of analyzing XLoader’s technical nuances and adaptive behavior.

Widespread Dissemination and Monetization:

The scale of the threat posed by XLoader’s new variant becomes evident through numerous submissions of the malware sample on VirusTotal throughout July 2023. 

XLoader submissions to VirusTotal July 2023
XLoader submissions to VirusTotal July 2023

Stealthy Persistence and Dropper Mechanisms:

Upon execution, the malicious OfficeNote application displays an error message to divert suspicion while quietly dropping its payload and establishing persistence mechanisms.

XLoader is immediately detected as a threat by the SentinelOne agent
XLoader is immediately detected as a threat by the SentinelOne agent

A distinctive aspect is the use of a stack string technique to encode the hardcoded error message—an approach reminiscent of earlier XLoader iterations. 

While the malware may feign ineffectiveness, it rapidly deploys its payload, creating a hidden directory housing a disguised minimal app.

Hardcoded error message constructed on the stack
Hardcoded error message constructed on the stack

This obfuscation ensures that the malware’s traces are challenging to pinpoint.

Similar to its predecessors, XLoader’s ultimate aim remains to pilfer sensitive data. 

Leveraging the Apple API NSPasteboard, the malware focuses on intercepting clipboard contents, particularly targeting Chrome and Firefox browsers. 

Its adeptness at locating and exfiltrating login.json files underscores its potency in acquiring potentially valuable data.

XLoader’s elaborate communication strategies are revealed through a multitude of dummy network calls. 

The malware’s adeptness in disguising legitimate communications further complicates the task of pinpointing its true command and control (C2) infrastructure. 

The effort to evade analysis encompasses multiple layers, including manual and automated solutions. 

XLoader employs sleep commands to delay its behavior and thwarts debugging attempts through the use of ptrace’s PT_DENY_ATTACH.

Keep informed about the latest Cyber Security News by following us on GoogleNewsLinkedinTwitter, and Facebook.

Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.