Key Takeaways
What is XLoader?
A new XLoader variant has been observed in the wild, targeting MacOS systems and disguising itself as a signed OfficeNote app. SentinelOne reported on this variant.
XLoader is a MaaS infostealer and botnet that has been active in the wild since at least 2015. Windows, MacOS, and Android variants have been discovered. The first MacOS variant of XLoader was discovered in 2021 and distributed as a Java program. The most recent MacOS variant is available on a crimeware forum for $199 USD/month or $299 for 3 months. This is far more expensive than the Windows variants of XLoader, which rent for $59 USD/month.
The most recent MacOS XLoader variant does not have the Java dependencies and masquerades as a signed version of the OfficeNote app. The variant is written in C, and Objective C. Apple has now revoked the signature used. This XLoader variant is bundled inside an Apple disk image named OfficeNote.dmg.
Despite the signature being revoked, XProtect does not currently prevent execution of this malware. When the application is executed, it throws an error, indicating the application is non-functional. Meanwhile, the malware payload is dropped, and a persistence agent is installed.
As with previous versions, this XLoader variant steals secrets from the victim machine’s clipboard and information from Firefox and Chrome browsers. It does not target the Safari browser. XLoader uses dummy network calls to disguise the C2 and includes analysis evasion capabilities.
IOCs
PolySwarm has multiple samples of XLoader.
8766d05be9b3dc2ba87a5c9f560e9b54539e9cdfe774dded0ac67a5fe5a18697
453e155722ac23771d63418e39f88430b0a922bd5f4afa81dcc73db44571b79e
Adda1b2139b7bbec7f051ecb58d1015d9ac8d5552987374ec48c6598acf54de8
2f513e4706cf8cd54f8c859afbbb581d36fe25ae113867d52a7dcafe1ed972c7
You can use the following CLI command to search for all XLoader samples in our portal:
$ polyswarm link list -f XLoader
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports