Old-school Mac malware is hiding in plain sight in this productivity app

That of course makes the app appear genuine, although there are plenty of things that give it away if you know where to look.

Security matters

The reappearance of XLoader was first picked up by SentinelOne, with the blog noting that, unlike previous iterations that targeted the Java Runtime Environment, this new one is a different animal.

"XLoader has returned in a new form and without the dependencies," the blog notes. "Written natively in the C and Objective C programming languages and signed with an Apple developer signature, XLoader is now masquerading as an office productivity app called ‘OfficeNote’."

The whole thing has an appearance of legitimacy, but there are signs that something is afoot. For starters, the malware is delivered in an Apple disk image called OfficeNote.dmg, which should be enough to raise the alarm. Another issue is the Apple developer signature by the name of MAIT JAKHU (54YDV8NU9C).

Thankfully, Apple has now revoked that signature but XProtect, the Mac's malware-blocking tool, wasn't preventing the app from launching at the time of writing — so if you don't notice something's amiss, macOS will launch it.

Once that happens XLoader will start watching Chrome and Firefox web browsers and start collecting data from them. Safari isn't targeted which is another reason to give it a try if you haven't of late.

The new iteration of XLoader is definitely going after business users so this is one for I.T. departments to be aware of. But it's another reminder that malware does exist on the Mac, no matter how much Apple's promotional materials might like to make it appear otherwise.