The notorious XLoader info-stealer malware has been found disguised as an office productivity app for Mac called OfficeNote.
In a blog post on Monday, cybersecurity firm Sentinel One revealed that the malware is designed to steal the contents of users’ clipboards. It also siphons sensitive data like login details from Mozilla Firefox and Google Chrome browsers.
“This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment,” the researchers said.
XLoader has been around since 2015 but was designed to target Windows devices. A Mac version of the malware surfaced in 2021, but it was a Java program, which limited its ability to run on macOS. The new version of XLoader is written in C and Objective-C programming language and even has an Apple developer signature.
While Apple has revoked the signature, Sentinel One said XProtect, Apple’s anti-malware tool, is ineffective at blocking it.
“Multiple submissions of this sample have appeared on VirusTotal throughout July, indicating that the malware has been widely distributed in the wild,” the researchers noted.
How OfficeNote Infects Macs
When users download the OfficeNote app, they unknowingly initiate a malware drop from a standard Apple disk image named OfficeNote[.]dmg. The malware is signed with the developer signature “MAIT JAKHU (54YDV8NU9C).”
When executed on a Mac, OfficeNote triggers an error message, misleading users into thinking it is dysfunctional. Yet, in the background, it is actively infecting macOS with a “persistence agent” that ensures it remains embedded in the system, undetected, Sentinel One’s blog post explained.
The malware targets browsers like Google Chrome and Mozilla Firefox but not Apple’s Safari browser. “The malware attempts to steal browser and clipboard secrets that could be used or sold to other threat actors for further compromise,” SentinelOne said.
XLoader uses “dummy network calls” to mask its command and control server. “We observed 169 DNS name resolutions and 203 HTTP requests,” the researchers said.
According to Sentinel One, the Mac version of XLoader is offered on dark web marketplaces starting at $199 per month, while the Windows version costs less — $59/month.
How to Protect Your Device From XLoader and Other Malware
While Apple’s tight control of the macOS ecosystem makes Mac devices relatively safe, cleverly programmed malware like XLoader can slip through.
We recommend you invest in a premium security solution for your Mac computer to complement the default system protection suite. We’ve tested different antivirus solutions for macOS. You can read about our top picks in our article on the best antivirus for Mac.
Also, avoid downloading any software from unverified, third-party sources. Only download software from the official Mac App Store or the official websites of well-established developers.
For more macOS security alerts, follow us on X (Twitter), Threads, and Mastodon!
