XLoader malware rises again on macOS disguised as ‘OfficeNote’ app

MacOS users are being targeted by a new malware variant disguised as a signed productivity application called ‘OfficeNote’. 

The malware is a new version of XLoader, an infostealer, and botnet that has been lurking on various platforms for years. It was spotted on macOS in 2021 in Java form. 

Apple has since stopped shipping the Java Runtime Environment by default, thus limiting the attack surface. However, XLoader has responded and returned as a native application that looks very much like an office productivity app. 

A user could easily be duped into downloading ‘OfficeNote’ thanks to its branding, which bears a distinct resemblance to Microsoft’s Office productivity suite. Researchers at SentinelOne also noted that the application, bundled inside a standard Apple disk image, had been signed on July 17, 2023 - although Apple has since revoked the signature. 

Attempting to execute ‘OfficeNote’ generates an error. However, in the background, the malware drops its payload and installs a persistence agent. Once up and running, the payload attempts to steal clipboard data, as well as browser information if the victims are using Firefox or Chrome – researchers say the malware seems to be ignoring Safari. 

Researchers also noted that the malware appears to have been widely distributed, with multiple submissions appearing on VirusTotal throughout July 2023. The Mac version is also being offered on crimeware forums for rental at $199 per month - or $299 for three months - a substantial premium over Windows variants of XLoader, which start at $59 per month. 

Despite the revocation of the signature, SentinelOne’s researchers stated that “Apple’s malware blocking tool, XProtect, does not have a signature to prevent execution of this malware at the time of writing”. 

While XLoader has long been a threat, this new variant, and its productivity disguise, is a clear indicator that threat actors are targeting macOS business users in particular. 

Researchers said: “This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment”. 

Apple hardware has continued to be targeted during 2023, with versions of the LockBit encryptor targeting machines using Apple Silicon turning up in April and new spyware threats identified in July. Recent research from Proofpoint also showed the speed with which threat actors could port Windows malware to macOS in an effort to thwart security controls.

A recent report from Malwarebytes also noted that, although still rare, Mac malware was on the rise. In July, Michael Covington, VP of portfolio strategy at Jamf, told ITPro that “attacks against Apple devices were changing, both in terms of intensity and purpose”.