HQ/EMEAFind out how we can help your business
A new variant of the XLoader malware for Apple macOS has emerged in the cybercriminal landscape. Based on reports, the new strain masquerades its malicious features by disguising it as an office productivity application called OfficeNote.
The researchers explained that the new XLoader version is within a standard Apple disk image named OfficeNote[.]dmg. Moreover, the malware operators included a developer signature in the app using MAIT JAKHU (54YDV8NU9C).
Additionally, the researchers noted that the files require the Java Runtime environment since the malicious .jar file will not run on a macOS install out of the box. The requirement is imperative for the malware since Apple stopped shipping JRE with Macs over ten years ago.
The new XLoader malware uses a technique that exploits programming languages.
With the disk image file signed last month, the latest XLoader malware variant could bypass Apple’s limitation by switching its programming languages, such as C and Objective C. On the other hand, Apple has revoked the signature.
Threat analysts also observed that malware developers offer the Mac version malware tool on crimeware forums for $199/month or $299/3 months.
“Interestingly, this is relatively expensive compared to Windows variants of XLoader, which go for $59/month and $129/3 months.”
Once executed, the OfficeNote app displays an error message claiming that the user could not open it because the original item cannot be found. However, the actual purpose of the app is to install a Launch Agent discreetly to establish persistence.
Furthermore, the researchers claimed that the XLoader developers designed the malware to harvest clipboard data and information stored in the directories connected with web browsers. The malware could also sleep commands to delay its execution and prevent raising suspicions aside from taking steps to bypass analysis both manually and automated solutions.
XLoader continues to be a threat to macOS devices, which affects its users and businesses. This recent variant that poses as an office productivity app indicates that the targeted audience is from the working sector. Lastly, the malware wants to steal browser and clipboard information, which is critical for executing other malicious campaigns.
Therefore, users should refrain from downloading untrusted apps and avoid downloading from unofficial sources.
