The Evolving Face of macOS Malware: Analyzing the Danger of the New XLoader

A New Mac-Oriented Variant of XLoader Infostealer Signals Increased Ability to Target macOS

Last month, a new variant of the XLoader infostealer, specifically designed to target Mac environments, was discovered in the wild. This development highlights a shift in hackers’ ability to effectively target macOS and underscores the importance of enhanced security measures for Mac users.

Spread and Detection

The Mac-oriented variant of XLoader was spread widely in July through a file named “OfficeNote.dmg,” which was uploaded to VirusTotal multiple times from various countries including the US, India, Spain, Singapore, and the Philippines. Despite its innocuous name, the disk image file contained an updated version of XLoader, crafted to steal credentials from Mac users.

According to threat researcher Phil Stokes, it was common in the past to see cross-platform malware that was a port from Windows malware but was not very effective. However, the new XLoader variant is far more sophisticated as it is written natively in C and Objective C.

The malware is packaged in an application file called “Office Note” with the macOS Microsoft Word logo and an Apple developer signature, making it appear legitimate. Apple has since revoked the signature, but this will likely have little impact as developers can easily pivot to another signature or use fake signatures. Additionally, some developers can ad hoc sign, bypassing Apple’s gatekeeper detection.

Upon execution, the file presents users with an error message while silently installing its payload and a persistence mechanism in the background of the infected machine. Once installed, XLoader attempts to steal saved credentials in Firefox and Chrome as well as users’ clipboard data.

Notably, Apple’s anti-malware tool XProtect did not have a signature to detect and block OfficeNote.dmg at the time of SentinelOne’s publication, underscoring the need for enhanced security measures.

The Evolution of Mac Malware

MacBooks historically had been of less interest to cybercriminals due to their market focus on individuals rather than enterprise or big businesses. However, this has changed as Mac usage has increased among developers and the C-suite. As a result, threat actors are now targeting Macs more frequently.

In the past, threat actors experimented with Mac malware by modifying existing Windows malware for use on macOS. They also wrote new malware in languages compatible with both operating systems, such as Golang or Rust. However, the advancement of malware development tools and the increasing popularity of Macs among businesses have led to the emergence of dedicated cybercrime teams focused on Mac development.

The results of these efforts can be seen in the form of XLoader, as well as other malicious programs like Atomic Stealer, MacStealer, and PureLand.

Apple’s Approach to Security

An issue raised by Phil Stokes is Apple’s approach to malware and security. He explains that while Apple takes malware seriously, the company strives to keep it invisible to users. This commitment to a seamless, low-effort user experience may not be suitable for enterprise security.

Stokes points out that Windows machines offer a Microsoft Defender settings page where users can customize and run their own scans. In contrast, Apple’s approach is to handle security silently in the background. However, this is inadequate for businesses at any level, as infections can occur without the security team’s knowledge.

It remains to be seen how Apple’s approach to security will stand up to scrutiny. In the meantime, organizations using macOS must layer additional security measures on top of Apple’s default offerings. Stokes suggests that businesses should invest in other detection tools to enhance visibility and protection.

Advice for Mac Users and Organizations

The discovery of the new XLoader variant highlights the need for increased vigilance and security measures for Mac users and organizations.

– Stay up to date: Ensure that all macOS and application updates are promptly installed to protect against known vulnerabilities.

– Use a reputable security solution: Implement a robust security solution that can detect and block malware, including the new XLoader variant. Supplement Apple’s built-in security tools with additional layers of defense.

– Be cautious when downloading files: Exercise caution when downloading files, especially disk images or applications from untrusted sources. Check the legitimacy of files and verify the reputation of the source before execution.

– Avoid reusing credentials: To protect against credential theft, use unique and strong passwords for each online account. Consider using a password manager to securely store and generate complex passwords.

– Employ multi-factor authentication: Enable multi-factor authentication whenever possible to add an extra layer of security and prevent unauthorized access to online accounts.

– Educate employees: Educate employees about the risks of malware and the importance of following secure practices, such as avoiding suspicious links or attachments and regularly backing up important data.

– Maintain backups: Regularly backup important files and data to an external drive or a secure cloud storage service. In the event of a malware infection, having backups can help restore systems and minimize data loss.

By following these recommendations and taking a proactive approach to security, Mac users and organizations can better protect themselves against the evolving threat landscape and ensure the safety of their data and systems.