One of the worst Mac malware strains is back and hiding as a productivity app - so beware

Sead Fadilpašić
·2 min read
Magnifying glass enlarging the word 'malware' in computer machine code
Magnifying glass enlarging the word 'malware' in computer machine code

If you stumble upon an app that claims to be a productivity solution called OfficeNote, ignore it and walk away - it’s just a piece of malware trying to steal sensitive data from your macOS device.

Cybersecurity researchers from SentinelOne recently published a blog post detailing their discovery of a brand new version of XLoader, an eight-year-old malware-as-a-service which now comes written in an entirely different programming language, but capable of wreaking just as much havoc as before.

As per the report, XLoader is an infostealer and a botnet that’s capable of stealing secrets stored in people’s browsers, and more. The older versions were written in Java, but given that macOS no longer supports it by default, the new version is written from scratch in C and Objective C. Furthermore, it’s shipped with an Apple developer signature MAIT JAKHU (54YDV8NU9C). The researchers did not elaborate on how the attackers obtained this signature.

Rising in popularity

In any case, the signature has since been revoked by Apple, but Cupertino’s built-in malware blocker, XProtect, is yet to start spotting the malware, they say.

The infostealer is growing immensely popular, the researchers further claim, saying that “multiple submissions” popped up on VirusTotal last month, an indication of rising popularity. On the dark web, the Mac version of the service costs $199/month, or $200 a month for three months - quite the price hike compared to the Windows version ($59 a month, or $129 for three months).

Read more

> Learn coding skills with the best Python online courses

> More malware is being hidden in PNG images, so watch out

> Check out the best productivity tools around

If you do end up installing “OfficeNote” on your endpoint, you’ll get a message saying the application doesn’t work. In the background, however, the application works just as intended, dropping payloads and installing persistence agents. If it runs unchecked, the malware will try to steal secrets from the user’s clipboard, and look for secrets in Chrome and Firefox. Interestingly enough, Safari isn’t being targeted.

Finally, XLoader tries really hard to keep its C2 server a secret, using multiple dummy network calls to throw researchers off their trail. SentinelOne observed 169 DNS name resolutions and 203 HTTP requests.