Detecting of a malware.
Image: Sashkin/Adobe Stock

A new report from cybersecurity company SentinelOne shows how the XLoader malware evolved. This information stealer malware has targeted macOS since 2015, but it was recently updated. It now pretends to be an Office application, so it can infect users’ machines and steal information from their clipboards and browsers.

Jump to:

What is XLoader, and how did it update?

XLoader is an information stealer and keylogger malware-as-a-service first reported by SentinelOne in 2021. However, the malware was developed from the source code of Formbook, an information stealer malware and keylogger that was active between 2015 and 2021. While Formbook only targeted Microsoft Windows operating systems, XLoader started targeting Windows and macOS.

The first versions of XLoader needed the Java Runtime Environment to be executed successfully. Since Apple stopped shipping JRE on macOS years ago, it has been less effective than other malware, although many users on macOS still need JRE for different purposes and have it installed on their systems.

SentinelOne’s researchers Dinesh Devadoss and Phil Stokes report that XLoader has returned in a new form and without those Java dependencies. The new code is written in C and Objective C programming languages and signed with an Apple developer signature from “Mait Jakhu” (Figure A).

Figure A

XLoader malware is being signed with an Apple developer signature.
XLoader malware is being signed with an Apple developer signature. Image: SentinelOne

The signature date is July 17, 2023, but it has since been revoked by Apple. This means that if a user tries to execute the file on a Mac, the operating system will show a warning about it (Figure B) and will not execute it.

Figure B

Attempt to execute the malware with its revoked signature fails.
Attempt to execute the malware with its revoked signature fails. Image: Cedric Pernet/TechRepublic

XLoader’s execution and functionalities

The XLoader malware has the ability to steal passwords from many browsers on Windows and Mac, yet its Mac version is limited to stealing passwords from Google Chrome and Mozilla Firefox and stealing content from the computer’s clipboard. It has anti-debug capabilities and uses sleep commands to try to prevent it from being analyzed by automated security solutions.

Once XLoader is launched, it shows an error indicating the software does not work, while silently dropping its payload and installing persistence in the background.

The malware creates a hidden folder in the user’s home directory and builds an executable inside that folder, using randomized names for both the folder name and the application. A LaunchAgent is also dropped in the same folder and used for persistence.

XLoader then tries to disguise its real command-and-control server by sending dummy network calls to approximately 200 servers unrelated to the malware.

How is XLoader distributed?

The malware samples discovered by SentinelOne are named and pretend to be Office applications by showing an icon impersonating Microsoft Word. XLoader is delivered as a standard Apple disk image named OfficeNote.dmg.

The researchers noted that multiple submissions of the new XLoader malware sample appeared throughout July 2023 on the VirusTotal platform, which is a system dedicated to running multiple antivirus engines on submitted files. This is a sign that the malware has been widely distributed in the wild.

The new XLoader is being advertised in cybercriminals’ underground forums for $199 USD per month or $299 USD per quarter for its Mac version, while the Windows version is cheaper at $59 USD per month or $129 USD per quarter.

The dashboard accessible to XLoader customers is shown as a screenshot in underground forums to give cybercriminals insight into its functionalities and ease of use.

How can you protect your business from this XLoader malware threat?

The way the Apple disk image is delivered to users is unknown; the most common methods for such file delivery are via email campaigns, direct downloads from untrusted locations or via social media platforms or instant messaging. In order to protect your business from this XLoader malware threat, it is strongly advised to:

  • Monitor email using security solutions that analyze all the attached files and links to download files.
  • Monitor network logs for any endpoint or server that suddenly sends a lot of DNS resolution requests and initiates communications with many different hosts or IP addresses within seconds.
  • Run security software on all endpoints and servers to prevent and detect malware such as XLoader.
  • Prohibit users from downloading and running applications originating from untrusted application stores or servers.
  • Keep all operating systems — in this case, particularly macOS — updated to the latest version and patched to avoid being compromised by common vulnerabilities.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.