XLoader is a long-running malware-as-a-service infostealer and botnet that has been around in some form or another since 2015. Its first macOS variant was spotted in 2021 and was notable for being distributed as a Java program. As we noted at the time, the Java Runtime Environment hasn’t shipped by default on macOS since the days of Snow Leopard, meaning the malware was limited in its targeting to environments where Java had been optionally installed.
Now, however, XLoader has returned in a new form and without the dependencies. Written natively in the C and Objective C programming languages and signed with an Apple developer signature, XLoader is now masquerading as an office productivity app called ‘OfficeNote’.
In this post, we examine how this new variant works and provide indicators for threat hunters and security teams. SentinelOne customers are automatically protected from this new variant of XLoader.
XLoader Distribution
The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg. The application contained within is signed with the developer signature MAIT JAKHU (54YDV8NU9C).
The application was signed on 17 July, 2023; however, Apple has since revoked the signature. Despite that, our tests indicate that Apple’s malware blocking tool, XProtect, does not have a signature to prevent execution of this malware at the time of writing.
Multiple submissions of this sample have appeared on VirusTotal throughout July, indicating that the malware has been widely distributed in the wild.
Advertisements on crimeware forums offer the Mac version for rental at $199/month or $299/3 months. Interestingly, this is relatively expensive compared to Windows variants of XLoader, which go for $59/month and $129/3 months.
XLoader Dropper and Persistence Module
When executed, the OfficeNote application is hardcoded to throw an error message indicating that the application is non-functional. Meanwhile, the malware drops its payload and installs a persistence agent, behavior that is immediately detected by the SentinelOne agent.
This error message is hardcoded using a stack string technique, typical of previous versions of XLoader.
At this point, however, the malware has already been busy dropping the payload and LaunchAgent. The payload is deposited in the user’s home directory as ~/73a470tO and executed. It creates a hidden directory and constructs a barebones minimal app within it, using a copy of itself for the main executable. Although the name of the payload is hardcoded into the dropper, the names of the hidden directory, app and executable are randomized on each execution.
Meanwhile, a LaunchAgent is also dropped in the User’s Library folder. This agent is similar to that used in the previous version of XLoader, providing a start value to the executable. This ensures that the binary can distinguish between its first run and subsequent runs.
XLoader Payload Behavior
As in previous versions, the malware attempts to steal secrets from the user’s clipboard via the Apple API NSPasteboard and generalPasteboard. It targets both Chrome and Firefox browsers, reading the login.json file located in ~/Library/Application Support/Firefox/Profiles for Firefox and ~/Library/Application Support/Google/Chrome/Default/Login Data for Chrome. As with other infostealers we’ve observed recently, Safari is not targeted.
XLoader uses a variety of dummy network calls to disguise the real C2. We observed 169 DNS name resolutions and 203 HTTP requests. Among the many contacted hosts the malware reaches out to are the following suspicious or malicious IP addresses.
23[.]227.38[.]74 62[.]72.14[.]220 66[.]29.151[.]121 104[.]21.26[.]182 104[.]21.32[.]235 104[.]21.34[.]62 137[.]220.225[.]17 142[.]251.163[.]121
XLoader also attempts to evade analysis both manually and by automated solutions. Both the dropper and payload binaries attempt to prevent debuggers attaching with ptrace’s PT_DENY_ATTACH (0x1f).
On execution, the malware executes sleep commands to delay behavior in the hope of fooling automated analysis tools. The binaries are stripped and exhibit high entropy in an attempt to similarly thwart static analysis.
Conclusion
XLoader continues to present a threat to macOS users and businesses. This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment. The malware attempts to steal browser and clipboard secrets that could be used or sold to other threat actors for further compromise.
IT and security teams are advised to deploy a trusted third party security solution to prevent and detect malware such as XLoader. To see how SentinelOne can help protect the macOS devices in your fleet, contact us or request a free demo.
Indicators of Compromise
| SHA1 | Description |
| 26fd638334c9c1bd111c528745c10d00aa77249d | Mach-O Payload |
| 47cacf7497c92aab6cded8e59d2104215d8fab86 | Mach-O Dropper |
| 5946452d1537cf2a0e28c77fa278554ce631223c | Disk Image |
| 958147ab54ee433ac57809b0e8fd94f811d523ba | Mach-O Payload |
FilePaths
~/73a470tO
Developer ID
MAIT JAKHU (54YDV8NU9C)
Network Communications
23[.]227.38[.]74 62[.]72.14[.]220 66[.]29.151[.]121 104[.]21.26[.]182 104[.]21.32[.]235 104[.]21.34[.]62 137[.]220.225[.]17 142[.]251.163[.]121
www[.]activ-ketodietakjsy620[.]cloud www[.]akrsnamchi[.]com www[.]brioche-amsterdam[.]com www[.]corkagenexus[.]com www[.]growind[.]info www[.]hatch[.]computer www[.]kiavisa[.]com www[.]lushespets[.]com www[.]mommachic[.]com www[.]nationalrecoveryllc[.]com www[.]pinksugarpopmontana[.]com www[.]qhsbobfv[.]top www[.]qq9122[.]com www[.]raveready[.]shop www[.]spv88[.]online www[.]switchmerge[.]com
