While XLoader has been around since at least 2015, it was primarily used to target Windows PCs until a macOS variant was spotted back in 2021. However, that version was distributed as a Java program which limited its ability to run on Macs since Apple hasn’t included the Java Runtime Environment on its computers for more than a decade.
Now though, a new version of XLoader, written in the C and Objective C programming languages that’s also signed with an Apple developer signature, has been spotted in the wild according to a blog post from the cybersecurity firm SentinelOne.
Hackers have also come up with a clever way to trick unsuspecting Mac users into installing this new version of XLoader. Unlike in the past when the malware was distributed as an attachment in phishing emails, it’s now masquerading as an office productivity app called “OfficeNote.”
Stealing clipboard data from vulnerable Macs
This new version of XLoader is bundled inside an installation file for the fake productivity app OfficeNote and while it was signed with a developer signature back in July of this year, Apple has since revoked the signature.
Unfortunately though, as SentinelOne’s tests have confirmed, Apple’s own XProtect malware scanner does not have the necessary signature to prevent this malicious app from running on your Mac.
XLoader is actually a Malware-as-a-Service offering that hackers pay its creators to use in their attacks. According to posts on dark web hacking forums, it costs $199 per month or $299 for three months to gain access to this new macOS version of XLoader, which is much more expensive than its Windows counterpart which costs $59 per month or $129 for three months.
If an unsuspecting Mac user does download and try to install the malicious OfficeNote app, they’re greeted with an error message which says that the program can’t be installed. This may lead them to think that there’s something wrong with the program itself and that it wasn’t loaded onto their system properly. Instead though, XLoader is…