XLoader’s Latest Trick | New macOS Variant Disguised as Signed OfficeNote App

MITRE Techniques

• [T1116] Code Signing – Signed with an Apple developer signature MAIT JAKHU (54YDV8NU9C) to appear trusted. “The application contained within is signed with the developer signature MAIT JAKHU (54YDV8NU9C).”
• [T1036] Masquerading – Masquerades as an office productivity app called ‘OfficeNote’. “masquerading as an office productivity app called ‘OfficeNote’.”
• [T1543.001] Launch Agent – Persistence via a Launch Agent dropped in the user’s Library folder to differentiate first vs subsequent runs. “a LaunchAgent is dropped in the User’s Library folder. This agent is similar to that used in the previous version of XLoader, providing a start value to the executable.”
• [T1115] Clipboard Data – Steals secrets from the clipboard via NSPasteboard/generalPasteboard. “The malware attempts to steal secrets from the user’s clipboard via the Apple API NSPasteboard and generalPasteboard.”
• [T1555.003] Credentials from Web Browsers – Targets Chrome/Firefox login data to extract credentials. “targeting both Chrome and Firefox browsers, reading the login.json file located in …”
• [T1027] Obfuscated/Compressed Files and Information – Binaries are stripped and exhibit high entropy to thwart static analysis. “The binaries are stripped and exhibit high entropy in an attempt to similarly thwart static analysis.”
• [T1562.001] Impair Defenses: Disable or Modify Tools – Anti-debugging by preventing debuggers via ptrace PT_DENY_ATTACH. “prevent debuggers attaching with ptrace’s PT_DENY_ATTACH (0x1f).”
• [T1071.001] Web Protocols – Uses dummy network calls; numerous DNS resolutions and HTTP requests for C2. “XLoader uses a variety of dummy network calls to disguise the real C2. We observed 169 DNS name resolutions and 203 HTTP requests.”
• [T1071.004] DNS – DNS-based C2 lookups to various hosts/IPs. “the malware reaches out to the following suspicious or malicious IP addresses.”