A new variant of the XLoader infostealer has recently been discovered, marking a significant shift in hackers’ ability to target macOS environments. Last month, a file named “OfficeNote.dmg” was uploaded to VirusTotal multiple times from various countries, including the US, India, Spain, Singapore, and the Philippines. Although the file appeared innocuous, it was actually an updated version of the XLoader infostealer specifically designed to steal credentials from Mac users.
Hackers have recently been converting Windows malware for use in macOS environments, but the latest version of XLoader represents a significant advancement in their capabilities. In the past, cross-platform malware was often a port from a Windows malware, but it was largely ineffective due to developers’ lack of understanding of how to develop for Mac. However, according to Phil Stokes, a threat researcher at SentinelOne, this is no longer the case.
The first version of XLoader built for Mac environments was discovered two years ago. It was a Java program, which limited its impact as the Java Runtime Environment is no longer a default element of macOS. The new XLoader, on the other hand, is written natively in C and Objective C. It is packaged as an application file named “Office Note” with the macOS Microsoft Word logo and an Apple developer signature. Although Apple has revoked the signature, Stokes believes it will not make much difference as developers can easily pivot to another signature or even use fake or ad hoc signatures to bypass Apple’s gatekeeper detection.
When the file is executed, it presents the user with an error message while secretly installing its payload and a persistence mechanism in the background of the machine. Once installed, XLoader attempts to steal credentials saved in Firefox and Chrome, as well as the user’s clipboard. At the time of SentinelOne’s publication, Apple’s anti-malware tool XProtect did not have a signature for detecting and blocking the OfficeNote.dmg file.
The rise of Mac malware can be attributed to the increasing popularity of MacBooks among individuals and businesses. Macs were historically less appealing to cybercriminals due to their limited presence in the enterprise. However, as more developers and executives embrace Macs, threat actors have followed suit. Initially, threat actors experimented with Mac malware by modifying existing Windows malware. Recently, entire cybercrime teams have dedicated themselves to Mac development, resulting in the emergence of new malware variants like XLoader, Atomic Stealer, MacStealer, and PureLand.
One of the issues with Apple’s security approach is its emphasis on invisibility to the user. While Apple takes malware seriously, they aim for a seamless user experience, which may not align with the needs of enterprise security. Unlike Windows machines that offer comprehensive security settings and the ability for users to run their own scans, Apple’s approach relies on silently handling security in the background. This can be problematic for enterprises or businesses that require visibility and control over potential infections.
As the threat landscape evolves, organizations running macOS will need to enhance their default security measures. Stokes recommends implementing additional detection and protection mechanisms beyond Apple’s offerings. It is crucial for businesses to have extra visibility and protection against Mac malware by investing in third-party security solutions.
In conclusion, the emergence of a new variant of the XLoader infostealer targeting Mac environments highlights the evolving capabilities of hackers and the growing threat to macOS users. It is imperative for organizations to prioritize cybersecurity and adopt layered security measures to effectively mitigate these risks.