The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

New XLoader Variant Disguised as Signed App

Sep 1, 2023 1:24:48 PM / by The Hivemind

New XLoader

Executive Summary

A new XLoader variant has been observed in the wild, targeting MacOS systems and disguising itself as a signed OfficeNote app. 

Key Takeaways

  • A new XLoader variant has been observed in the wild, targeting MacOS systems.
  • It disguises itself as a signed OfficeNote app.
  • Despite the signature being revoked, XProtect does not currently prevent execution of this malware. 
  • XLoader uses dummy network calls to disguise the C2 and includes analysis evasion capabilities. 

What is XLoader?

A new XLoader variant has been observed in the wild, targeting MacOS systems and disguising itself as a signed OfficeNote app. SentinelOne reported on this variant.

XLoader is a MaaS infostealer and botnet that has been active in the wild since at least 2015. Windows, MacOS, and Android variants have been discovered. The first MacOS variant of XLoader was discovered in 2021 and distributed as a Java program. The most recent MacOS variant is available on a crimeware forum for $199 USD/month or $299 for 3 months. This is far more expensive than the Windows variants of XLoader, which rent for $59 USD/month.

The most recent MacOS XLoader variant does not have the Java dependencies and masquerades as a signed version of the OfficeNote app. The variant is written in C, and Objective C. Apple has now revoked the signature used. This XLoader variant is bundled inside an Apple disk image named OfficeNote.dmg.

Despite the signature being revoked, XProtect does not currently prevent execution of this malware. When the application is executed, it throws an error, indicating the application is non-functional. Meanwhile, the malware payload is dropped, and a persistence agent is installed.

As with previous versions, this XLoader variant steals secrets from the victim machine’s clipboard and information from Firefox and Chrome browsers. It does not target the Safari browser. XLoader uses dummy network calls to disguise the C2 and includes analysis evasion capabilities.

IOCs

PolySwarm has multiple samples of XLoader.

 

8766d05be9b3dc2ba87a5c9f560e9b54539e9cdfe774dded0ac67a5fe5a18697

453e155722ac23771d63418e39f88430b0a922bd5f4afa81dcc73db44571b79e

Adda1b2139b7bbec7f051ecb58d1015d9ac8d5552987374ec48c6598acf54de8

2f513e4706cf8cd54f8c859afbbb581d36fe25ae113867d52a7dcafe1ed972c7

 

You can use the following CLI command to search for all XLoader samples in our portal:

$ polyswarm link list -f XLoader

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

 

Topics: Threat Bulletin, Xloader, MacOS

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More