A fresh iteration of the XLoader malware targeting macOS disguises itself under the name ‘OfficeNote’ productivity application.
XLoader macOS
Emerging onto the scene in 2020, XLoader inherits its legacy from Formbook. Functioning as a data exfiltration tool, it adeptly captures information and logs keystrokes. This tool operates through a malware-as-a-service (MaaS) framework.
A modified version tailored for macOS emerged in July 2021, disseminated as a Java application bundled in a compiled .JAR file format.
Highlighting this fact, cybersecurity firm SentinelOne pointed out that these files demand the presence of the Java Runtime Environment. Consequently, the malevolent .jar file finds itself incompatible with a standard macOS setup, as Apple ceased bundling JREs with Mac systems a decade ago.
To overcome this hurdle, the most recent iteration of XLoader ingeniously sidesteps this requirement by transitioning its programming languages to C and Objective C.
This version also includes a disk image file signed on July 17, 2023, a signature that Apple has subsequently revoked.
SentinelOne reported that multiple submissions of the file to VirusTotal were detected throughout July 2023, indicating a widespread operation.
After running, OfficeNote displays an error message stating that it “cannot be opened because the original object cannot be found”, but, in fact, it installs a Launch Agent in the background to maintain persistence.
XLoader targets data from browser-related folders like Google Chrome and Mozilla Firefox, but not Safari. It evades analysis using manual and automated methods and employs sleep commands to delay and disguise suspicious actions. Researchers confirm XLoader remains a danger to macOS users and businesses.
Disguised as an office productivity application, this recent release primarily targets users operating within office environments. The malevolent code’s intention is to pilfer browser secrets for potential future exploitation, along with personal data that could be utilized or traded to facilitate subsequent hacking endeavors.
IOC
| SHA1 | Description |
| 26fd638334c9c1bd111c528745c10d00aa77249d | Mach-O Payload |
| 47cacf7497c92aab6cded8e59d2104215d8fab86 | Mach-O Dropper |
| 5946452d1537cf2a0e28c77fa278554ce631223c | Disk Image |
| 958147ab54ee433ac57809b0e8fd94f811d523ba | Mach-O Payload |
FilePaths~/73a470tO
23[.]227.38[.]74 62[.]72.14[.]220 66[.]29.151[.]121 104[.]21.26[.]182 104[.]21.32[.]235 104[.]21.34[.]62 137[.]220.225[.]17 142[.]251.163[.]121 www[.]activ-ketodietakjsy620[.]cloud www[.]akrsnamchi[.]com www[.]brioche-amsterdam[.]com www[.]corkagenexus[.]com www[.]growind[.]info www[.]hatch[.]computer www[.]kiavisa[.]com www[.]lushespets[.]com www[.]mommachic[.]com www[.]nationalrecoveryllc[.]com www[.]pinksugarpopmontana[.]com www[.]qhsbobfv[.]top www[.]qq9122[.]com www[.]raveready[.]shop www[.]spv88[.]online www[.]switchmerge[.]com
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment