XLoader’s Latest Trick | New macOS Variant Disguised as Signed OfficeNote App

XLoader is a long-running malware-as-a-service infostealer and botnet that has been around in some form or another since 2015. Its first macOS variant was spotted in 2021 and was notable for being distributed as a Java program. As we noted at the time, the Java Runtime Environment hasn’t shipped by default on macOS since the days of Snow Leopard, meaning the malware was limited in its targeting to environments where Java had been optionally installed.

Now, however, XLoader has returned in a new form and without the dependencies. Written natively in the C and Objective C programming languages and signed with an Apple developer signature, XLoader is now masquerading as an office productivity app called ‘OfficeNote’.

In this post, we examine how this new variant works and provide indicators for threat hunters and security teams. SentinelOne customers are automatically protected from this new variant of XLoader.

XLoader Distribution

The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg. The application contained within is signed with the developer signature MAIT JAKHU (54YDV8NU9C).

The application was signed on 17 July, 2023; however, Apple has since revoked the signature. Despite that, our tests indicate that Apple’s malware blocking tool, XProtect, does not have a signature to prevent execution of this malware at the time of writing.

OfficeNote app
OfficeNote’s revoked Apple Developer signature.

Multiple submissions of this sample have appeared on VirusTotal throughout July, indicating that the malware has been widely distributed in the wild.

XLoader submissions to VirusTotal July 2023
XLoader submissions to VirusTotal July 2023

Advertisements on crimeware forums offer the Mac version for rental at $199/month or $299/3 months. Interestingly, this is relatively expensive compared to Windows variants of XLoader, which go for $59/month and $129/3 months.

XLoader Dropper and Persistence Module

When executed, the OfficeNote application is hardcoded to throw an error message indicating that the application is non-functional. Meanwhile, the malware drops its payload and installs a persistence agent, behavior that is immediately detected by the SentinelOne agent.

XLoader is immediately detected as a threat by the SentinelOne agent
XLoader is immediately detected as a threat by the SentinelOne agent

This error message is hardcoded using a stack string technique, typical of previous versions of XLoader.

Hardcoded error message constructed on the stack
Hardcoded error message constructed on the stack

At this point, however, the malware has already been busy dropping the payload and LaunchAgent. The payload is deposited in the user’s home directory as ~/73a470tO and executed. It creates a hidden directory and constructs a barebones minimal app within it, using a copy of itself for the main executable. Although the name of the payload is hardcoded into the dropper, the names of the hidden directory, app and executable are randomized on each execution.

Execution of OfficeNote and creation of a hidden application
Execution of OfficeNote and creation of a hidden application as seen in the SentinelOne console

Meanwhile, a LaunchAgent is also dropped in the User’s Library folder. This agent is similar to that used in the previous version of XLoader, providing a start value to the executable. This ensures that the binary can distinguish between its first run and subsequent runs.

XLoader LaunchAgent for persistence
XLoader LaunchAgent for persistence

XLoader Payload Behavior

As in previous versions, the malware attempts to steal secrets from the user’s clipboard via the Apple API NSPasteboard and generalPasteboard. It targets both Chrome and Firefox browsers, reading the login.json file located in ~/Library/Application Support/Firefox/Profiles for Firefox and ~/Library/Application Support/Google/Chrome/Default/Login Data for Chrome. As with other infostealers we’ve observed recently, Safari is not targeted.

XLoader uses a variety of dummy network calls to disguise the real C2. We observed 169 DNS name resolutions and 203 HTTP requests. Among the many contacted hosts the malware reaches out to are the following suspicious or malicious IP addresses.

23[.]227.38[.]74
62[.]72.14[.]220
66[.]29.151[.]121
104[.]21.26[.]182
104[.]21.32[.]235
104[.]21.34[.]62
137[.]220.225[.]17
142[.]251.163[.]121

XLoader also attempts to evade analysis both manually and by automated solutions. Both the dropper and payload binaries attempt to prevent debuggers attaching with ptrace’s PT_DENY_ATTACH (0x1f).

XLoader attempts to prevent analysts reverse engineering the malware
XLoader attempts to prevent analysts reverse engineering the malware

On execution, the malware executes sleep commands to delay behavior in the hope of fooling automated analysis tools. The binaries are stripped and exhibit high entropy in an attempt to similarly thwart static analysis.

The XLoader binaries exhibit high entropy in the __text section
The XLoader binaries exhibit high entropy in the __text section

Conclusion

XLoader continues to present a threat to macOS users and businesses. This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment. The malware attempts to steal browser and clipboard secrets that could be used or sold to other threat actors for further compromise.

IT and security teams are advised to deploy a trusted third party security solution to prevent and detect malware such as XLoader. To see how SentinelOne can help protect the macOS devices in your fleet, contact us or request a free demo.

Indicators of Compromise

SHA1 Description
26fd638334c9c1bd111c528745c10d00aa77249d Mach-O Payload
47cacf7497c92aab6cded8e59d2104215d8fab86 Mach-O Dropper
5946452d1537cf2a0e28c77fa278554ce631223c Disk Image
958147ab54ee433ac57809b0e8fd94f811d523ba Mach-O Payload

FilePaths
~/73a470tO

Developer ID
MAIT JAKHU (54YDV8NU9C)

Network Communications

23[.]227.38[.]74
62[.]72.14[.]220
66[.]29.151[.]121
104[.]21.26[.]182
104[.]21.32[.]235
104[.]21.34[.]62
137[.]220.225[.]17
142[.]251.163[.]121
www[.]activ-ketodietakjsy620[.]cloud
www[.]akrsnamchi[.]com
www[.]brioche-amsterdam[.]com
www[.]corkagenexus[.]com
www[.]growind[.]info
www[.]hatch[.]computer
www[.]kiavisa[.]com
www[.]lushespets[.]com
www[.]mommachic[.]com
www[.]nationalrecoveryllc[.]com
www[.]pinksugarpopmontana[.]com
www[.]qhsbobfv[.]top
www[.]qq9122[.]com
www[.]raveready[.]shop
www[.]spv88[.]online
www[.]switchmerge[.]com
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *