Newer, Better XLoader Signals a Dangerous Shift in macOS Malware - Dark Reading
2023-08-22 14:34 (EST) - Contributing Writer
A new Mac-oriented variant of the XLoader infostealer spread widely in the wild last month, signaling a shift in hackers ability to effectively target macOS environments.
From mid- to late July, the file "OfficeNote.dmg" was uploaded to VirusTotal nine times, from countries as far and wide as the US, India, Spain, Singapore, and the Philippines. The innocuously named disk image file was actually an updated version of the XLoader infostealer, specially designed to steal credentials from Mac users.
Hackers increasingly have been converting Windows malware for use in macOS environments as of late, but the newest XLoader is far more than just a janky derivative.
"In the past," says Phil Stokes, a threat researcher at SentinelOne, "it was very common to see cross-platform malware that was a port from a Windows malware, but it was not very effective. The developers didnt really know how to develop for Mac, right? Well, I think that time is behind us now."
The New XLoader for Macs
The first XLoader built for Mac environments was discovered two years ago, almost to the day. It was a Java program, which proved to be its Achilles heel. The Java Runtime Environment hasnt been a default element of macOS since Snow Leopard, meaning that XLoader could only work on hosts that had downloaded Java for some reason or another.
The new XLoader has no such flaw — its written natively in C and Objective C. Its packaged in an application file with the legitimate-sounding name "Office Note," the macOS Microsoft Word logo, and an Apple developer signature. Apple has since revoked the signature, but "it wont make much difference," Stokes says.
"All it means is that the developers will have to pivot to another signature. Developers signatures are bought and sold on the Dark Net, or theyre fakes. They can even ad hoc sign, which means it doesnt actually have a developer signature, but it will still get past Apples gatekeeper detection."
When the file is executed, it will present the user with an error message, while simultaneously installing its payload and a persistence mechanism in the background of the machine.
Source: SentinelOne
Once installed, XLoader will attempt to steal credentials saved in Firefox and Chrome, as well as the users clipboard.
Notably, at the time of SentinelOnes publication, Apples anti-malware tool XProtect did not have a signature for detecting and blocking OfficeNote.dmg.
The New Face of Mac Malware
Because MacBooks historically have been marketed to individuals rather than industry or big business, theyve tended to be of less interest to cybercriminals. "Five years ago, there were not very many people who had Macs in the enterprise. Now developers love them, the C-suite loves them, and so theyre great targets. And threat actors will follow wherever the trend is."
Threat actors began experimenting with Mac malware by unevenly rejiggering existing Windows malware. At best, they would write new malware in languages friendly to both operating systems, like Golang or Rust. "Theyre such easy languages for people to learn, and such powerful languages. Its now much easier to write very good software for different platforms that is going to work out of the box," Stokes says.
Now, he adds, entire cybercrime teams are dedicated to Mac development. The results are bearing fruit in the form of this new XLoader, but also programs like Atomic Stealer, MacStealer, and PureLand.
The Issue With Apple Security
But to Stokes, it isnt merely that good malware now exists for MacBooks.
"The problem is that Apple has this kind of attitude to malware, where they take it seriously, but they want it all to be invisible to the user," he explains. The companys dogmatic commitment to a seamless, low-effort user experience, which got them so far with consumers in the past, may not be whats called for in the world of enterprise security.
"If youve got a Windows machine, youve got a big Microsoft Defender settings page you can go and play with, and run your own scans," he explains. "Apples approach is: Were going to take care of this silently in the background. And that, for enterprises or businesses of any level, is no good. You cannot have infections going on in the background without your security team knowing about it."
Time will tell how Apples approach to security will stand up to scrutiny. For now, organizations running macOS will need to layer extra security on top of what theyve got by default.
"The key," Stokes says, "is businesses should have some other kind of detection, other than just relying on Apple. Just go and make sure youve got something thats giving you that extra visibility and protection."
