Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

One of the worst Mac malware strains is back and hiding as a productivity app - so beware

Magnifying glass enlarging the word 'malware' in computer machine code

If you stumble upon an app that claims to be a productivity solution called OfficeNote, ignore it and walk away - it’s just a piece of malware trying to steal sensitive data from your macOS device. 

Cybersecurity researchers from SentinelOne recently published a blog post detailing their discovery of a brand new version of XLoader, an eight-year-old malware-as-a-service which now comes written in an entirely different programming language, but capable of wreaking just as much havoc as before.

As per the report, XLoader is an infostealer and a botnet that’s capable of stealing secrets stored in people’s browsers, and more. The older versions were written in Java, but given that macOS no longer supports it by default, the new version is written from scratch in C and Objective C. Furthermore, it’s shipped with an Apple developer signature MAIT JAKHU (54YDV8NU9C). The researchers did not elaborate on how the attackers obtained this signature.

Rising in popularity

In any case, the signature has since been revoked by Apple, but Cupertino’s built-in malware blocker, XProtect, is yet to start spotting the malware, they say. 

The infostealer is growing immensely popular, the researchers further claim, saying that “multiple submissions” popped up on VirusTotal last month, an indication of rising popularity. On the dark web, the Mac version of the service costs $199/month, or $200 a month for three months - quite the price hike compared to the Windows version ($59 a month, or $129 for three months). 

If you do end up installing “OfficeNote” on your endpoint, you’ll get a message saying the application doesn’t work. In the background, however, the application works just as intended, dropping payloads and installing persistence agents. If it runs unchecked, the malware will try to steal secrets from the user’s clipboard, and look for secrets in Chrome and Firefox. Interestingly enough, Safari isn’t being targeted. 

Finally, XLoader tries really hard to keep its C2 server a secret, using multiple dummy network calls to throw researchers off their trail. SentinelOne observed 169 DNS name resolutions and 203 HTTP requests.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.