This notorious Mac malware has resurfaced as an office productivity app — how to stay safe
XLoader is back and this infostealer malware now runs natively on macOS
Macs are under attack from a new variant of the infamous XLoader malware which has been rewritten to run natively on the best MacBooks.
While XLoader has been around since at least 2015, it was primarily used to target Windows PCs until a macOS variant was spotted back in 2021. However, that version was distributed as a Java program which limited its ability to run on Macs since Apple hasn’t included the Java Runtime Environment on its computers for more than a decade.
Now though, a new version of XLoader, written in the C and Objective C programming languages that’s also signed with an Apple developer signature, has been spotted in the wild according to a blog post from the cybersecurity firm SentinelOne.
Hackers have also come up with a clever way to trick unsuspecting Mac users into installing this new version of XLoader. Unlike in the past when the malware was distributed as an attachment in phishing emails, it’s now masquerading as an office productivity app called "OfficeNote."
Stealing clipboard data from vulnerable Macs
This new version of XLoader is bundled inside an installation file for the fake productivity app OfficeNote and while it was signed with a developer signature back in July of this year, Apple has since revoked the signature.
Unfortunately though, as SentinelOne’s tests have confirmed, Apple’s own XProtect malware scanner does not have the necessary signature to prevent this malicious app from running on your Mac.
XLoader is actually a Malware-as-a-Service offering that hackers pay its creators to use in their attacks. According to posts on dark web hacking forums, it costs $199 per month or $299 for three months to gain access to this new macOS version of XLoader, which is much more expensive than its Windows counterpart which costs $59 per month or $129 for three months.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
If an unsuspecting Mac user does download and try to install the malicious OfficeNote app, they’re greeted with an error message which says that the program can’t be installed. This may lead them to think that there's something wrong with the program itself and that it wasn't loaded onto their system properly. Instead though, XLoader is installed and the malware also deploys a persistence agent so that it can remain undetected on an infected Mac.
From here, XLoader attempts to steal passwords and other sensitive data from a user’s clipboard in macOS. It also targets both Google Chrome and Mozilla Firefox to steal cookies and other data stored in your browser but just like with other infostealing malware on Mac, it ignores Safari.
How to stay safe from malicious Mac apps
In order to protect yourself from malicious apps on Mac, you want to avoid installing software for unofficial sources online. Instead, you should stick to the Mac App Store or the sites of reputable developers with a history of making secure software.
While your Mac has built-in security software like XProtect and Gatekeeper, you should also consider installing and using one of the best Mac antivirus software solutions for additional protection. Third-party Mac antivirus software is updated more frequently which can help you stay safe from viruses that XProtect or Gatekeeper may miss.
Now that there’s a brand new version of XLoader designed specifically for macOS that’s available for hackers to rent online, expect to see similar campaigns in the future targeting vulnerable Macs.
More from Tom's Guide
Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.