Newer, Better XLoader Signals a Dangerous Shift in macOS Malware

A new Mac-oriented variant of the XLoader infostealer spread widely in the wild last month, signaling a shift in hackers’ ability to effectively target macOS environments.

From mid- to late July, the file “OfficeNote.dmg” was uploaded to VirusTotal nine times, from countries as far and wide as the US, India, Spain, Singapore, and the Philippines. The innocuously named disk image file was actually an updated version of the XLoader infostealer, specially designed to steal credentials from Mac users.

Hackers increasingly have been converting Windows malware for use in macOS environments as of late, but the newest XLoader is far more than just a janky derivative.

“In the past,” says Phil Stokes, a threat researcher at SentinelOne, “it was very common to see cross-platform malware that was a port from a Windows malware, but it was not very effective. The developers didn’t really know how to develop for Mac, right? Well, I think that time is behind us now.”

The New XLoader for Macs

The first XLoader built for Mac environments was discovered two years ago, almost to the day. It was a Java program, which proved to be its Achilles’ heel. The Java Runtime Environment hasn’t been a default element of macOS since Snow Leopard, meaning that XLoader could only work on hosts that had downloaded Java for some reason or another. 

The new XLoader has no such flaw — it’s written natively in C and Objective C. It’s packaged in an application file with the legitimate-sounding name “Office Note,” the macOS Microsoft Word logo, and an Apple developer signature. Apple has since revoked the signature, but “it won’t make much difference,” Stokes says.

“All it means is that the developers will have to pivot to another signature. Developers’ signatures are bought and sold on the Dark Net, or they’re fakes. They can even ad hoc sign, which means it doesn’t actually have a developer signature, but it will still get past Apple’s gatekeeper detection.”

When the file is executed, it will present the user with an error message, while simultaneously installing its payload and a persistence mechanism in the background of the machine. 

Error message displayed on screen:
Source: SentinelOne

Once installed, XLoader will attempt to steal credentials saved in…