XLoader, a long-running infostealer and botnet that’s been around since 2015, has returned as a macOS variant that has been observed in the wild.
In a blog post Aug. 21, SentinelOne researchers said the macOS XLoader variant, first only found on Java programs, is written natively in the C and Objective C programming languages and signed with an Apple developer signature.
Multiple submissions of this new XLoader sample have appeared on VirusTotal throughout July, said SentinelOne researchers, which has been masquerading as a fake office productivity app called OfficeNote.
“XLoader continues to present a threat to macOS users and businesses,” wrote the researchers. “This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment. The malware attempts to steal browser and clipboard secrets that could be used or sold to other threat actors for further compromise.”
First macOS variant for XLoader spotted two years ago
The SentinelOne researchers underscored that XLoader’s first macOS variant was spotted in 2021 and was notable for being distributed as a Java program. As SentinelOne explained in a previous blog, the Java Runtime Environment hasn’t shipped by default on macOS since the days of Snow Leopard, which means the malware was limited in its targeting to environments where Java had been optionally installed.
The researchers said the application was signed on July 17, but Apple has since revoked the signature. Despite that, SentinelOne said its tests indicated that Apple’s malware blocking tool, XProtect, still does not have a signature to prevent execution of this XLoader malware at the time of this writing.
Advertisements on crimeware forums offer the Mac version for rental at $199-a-month or $299 for three months. The Mac version is relatively expensive compared with Windows variants of XLoader, which go for $59-per-month and $129 for three months, according to SentinelOne.
The evolution of XLoader's distribution mechanism from being Java-dependent to harnessing a native macOS platform stands as a testament to the ever-adapting landscape of cybersecurity threats, said Callie Guenther, cyber threat research senior manager at Critical Start. Guenther said this shift is far from a mere technical adjustment: it speaks volumes about the strategic foresight and adaptability of threat actors.
“As Java's presence on macOS began to wane, given its non-default status after Snow Leopard, these adversaries astutely recognized an evolving ecosystem and recalibrated their approach,” explained Guenther. “By shifting to a native macOS distribution, they not only broadened their potential victim base, but also capitalized on a widespread perception of macOS as a more secure environment. This move signifies not just advanced technical prowess, but also an innate understanding of user psychology and trust mechanisms.”
Guenther said leveraging an Apple developer signature for the malware's distribution further amplifies this point, showcasing the lengths to which these actors will go to exploit digital trust pathways.
“When one sees this migration from Java to macOS in its entirety, it's evident that it's not just about compromising more systems or stealing more data,” said Guenther. “It's a calculated, strategic move that shows the persistence and sophistication of these threat actors. Their commitment to evolving their tools and methodologies serves as a potent reminder that in the world of cybersecurity, complacency is not an option, and the pursuit of robust defenses is a relentless endeavor.”
Damir J. Brescic, chief information security officer at Inversion6, said the evolution of the well-known XLoader malware into the Mac platform raises concerns, as Apple has long boasted about its superior security compared with Microsoft machines.
“The development challenges the notion that Apple devices are inherently more secure,” said Brescic. “It highlights the need for continuous vigilance and robust security measures, regardless of the OS being used.”
Brescic recommended that security teams take the following steps:
- Ensure that all devices are equipped with quality antivirus software capable of detecting and mitigating such threats.
- Apply regular software updates and patches promptly to minimize vulnerabilities.
- Educate users about the risks associated with downloading apps from untrusted sources and encourage the use of official app stores.
