One of the worst Mac malware strains is back and hiding as a productivity app - so beware

As per the report, XLoader is an infostealer and a botnet that’s capable of stealing secrets stored in people’s browsers, and more. The older versions were written in Java, but given that macOS no longer supports it by default, the new version is written from scratch in C and Objective C. Furthermore, it’s shipped with an Apple developer signature MAIT JAKHU (54YDV8NU9C). The researchers did not elaborate on how the attackers obtained this signature.

Rising in popularity

In any case, the signature has since been revoked by Apple, but Cupertino’s built-in malware blocker, XProtect, is yet to start spotting the malware, they say. 

The infostealer is growing immensely popular, the researchers further claim, saying that “multiple submissions” popped up on VirusTotal last month, an indication of rising popularity. On the dark web, the Mac version of the service costs $199/month, or $200 a month for three months - quite the price hike compared to the Windows version ($59 a month, or $129 for three months). 

If you do end up installing “OfficeNote” on your endpoint, you’ll get a message saying the application doesn’t work. In the background, however, the application works just as intended, dropping payloads and installing persistence agents. If it runs unchecked, the malware will try to steal secrets from the user’s clipboard, and look for secrets in Chrome and Firefox. Interestingly enough, Safari isn’t being targeted. 

Finally, XLoader tries really hard to keep its C2 server a secret, using multiple dummy network calls to throw researchers off their trail. SentinelOne observed 169 DNS name resolutions and 203 HTTP requests.

• Check out the best firewalls around