XLoader Malware Variant Targets MacOS Disguised as OfficeNote App
iOS VPN App
A new variant of malware called XLoader is targeting macOS users. XLoader’s execution, functionalities and distribution are detailed.
A new report from cybersecurity company SentinelOne shows how the XLoader malware evolved. This information stealer malware has targeted macOS since 2015, but it was recently updated. It now pretends to be an Office application, so it can infect users’ machines and steal information from their clipboards and browsers.
Jump to:
What is XLoader, and how did it update?
XLoader is an information stealer and keylogger malware-as-a-service first reported by SentinelOne in 2021. However, the malware was developed from the source code of Formbook, an information stealer malware and keylogger that was active between 2015 and 2021. While Formbook only targeted Microsoft Windows operating systems, XLoader started targeting Windows and macOS.
The first versions of XLoader needed the Java Runtime Environment to be executed successfully. Since Apple stopped shipping JRE on macOS years ago, it has been less effective than other malware, although many users on macOS still need JRE for different purposes and have it installed on their systems.
SentinelOne’s researchers Dinesh Devadoss and Phil Stokes report that XLoader has returned in a new form and without those Java dependencies. The new code is written in C and Objective C programming languages and signed with an Apple developer signature from “Mait Jakhu” (Figure A).
Figure A
The signature date is July 17, 2023, but it has since been revoked by Apple. This means that if a user tries to execute the file on a Mac, the operating system will show a warning about it (Figure B) and will not execute it.
Figure B
XLoader’s execution and functionalities
The XLoader malware has the ability to steal passwords from many browsers on Windows and Mac, yet its Mac version is limited to stealing passwords from Google Chrome and Mozilla Firefox and stealing content from…
