Apple computer, macOS, laptop
Image: Adrian Regeci via Pexels

MacOS version of info-stealing XLoader gets an upgrade

Researchers have discovered a new variant of the XLoader malware that is better at dodging Apple’s security measures as it tries to steal sensitive information from macOS devices.

The initial version for Apple computers was discovered in 2021 and could only infect devices on which users installed the Java software package.

The new macOS version, analyzed by researchers at cybersecurity firm SentinelOne, doesn’t have these limitations.

According to a report published on Tuesday, the new XLoader is written in the C and Objective C programming languages. It now masquerades as a productivity app called OfficeNote.

The malicious app was signed with an Apple developer signature, which is used to verify its source and legitimacy. Apple has already revoked this signature, but the macOS malware blocker doesn't stop the XLoader from running, the researchers said.

The malware typically infects a Mac computer if the user receives a disk image file called OfficeNote.dmg and tries to install the software inside. The file creates an error message while the malware silently drops its payload.

The malware appears to be “widely distributed in the wild,” according to the report.

XLoader for Microsoft Windows has been around since at least 2015 and has been sold as malware-as-a-service on hacking forums. Ads on hacking forums offer the Mac version for rent at $199 per month or $299 per three months. Windows versions cost $59 monthly and $129 for three months.

Once it's in the system, the malware tries to steal sensitive information from the user's clipboard. This means hackers are searching for any valuable data that users may have copied or cut.

XLoader targets both Chrome and Firefox browsers, but not Safari. This is also true for other infostealers, according to SentinelOne.

The researchers didn't say how many XLoader infections they found or who got attacked. But since the malware masquerades as an office productivity app, it suggests that the intended victims are organizations or businesses.

Hackers can sell their information stolen by XLoader to other threat actors for further compromise, the researchers said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.