A new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called “OfficeNote.”
“The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg,” SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis. “The application contained within is signed with the developer signature MAIT JAKHU (54YDV8NU9C).”
XLoader, first detected in 2020, is considered a successor to Formbook and is an information stealer and keylogger offered under the malware-as-a-service (MaaS) model. A macOS variant of the malware emerged in July 2021, distributed as a Java program in the form of a compiled .JAR file.
“Such files require the Java Runtime Environment, and for that reason the malicious .jar file will not execute on a macOS install out of the box, since Apple stopped shipping JRE with Macs over a decade ago,” the cybersecurity firm noted at the time.
The latest iteration of XLoader gets around this limitation by switching to programming languages such as C and Objective C, with the disk image file signed on July 17, 2023. Apple has since revoked the signature.