Old-school Mac malware is hiding in plain sight in this productivity app (original) (raw)

At home with 15-inch MacBook Air, on a mosaic balcony table and on a wooden floor.

(Image credit: Gerald Lynch / Future)

While it's true that when it comes to malware, Windows is a much bigger target for attackers than macOS, there are still plenty of bad actors out there. And now a dangerous old malware tool has started to make a return.

XLoader is a malware tool that has been around for a couple of years and is now becoming prominent thanks to the way it's making a comeback — not only is it masquerading as a piece of Microsoft productivity software aimed at businesses, but also carries an Apple developer signature.

That of course makes the app appear genuine, although there are plenty of things that give it away if you know where to look.

Security matters

The reappearance of XLoader was first picked up by SentinelOne, with the blog noting that, unlike previous iterations that targeted the Java Runtime Environment, this new one is a different animal.

"XLoader has returned in a new form and without the dependencies," the blog notes. "Written natively in the C and Objective C programming languages and signed with an Apple developer signature, XLoader is now masquerading as an office productivity app called ‘OfficeNote’."

The whole thing has an appearance of legitimacy, but there are signs that something is afoot. For starters, the malware is delivered in an Apple disk image called OfficeNote.dmg, which should be enough to raise the alarm. Another issue is the Apple developer signature by the name of MAIT JAKHU (54YDV8NU9C).

Thankfully, Apple has now revoked that signature but XProtect, the Mac's malware-blocking tool, wasn't preventing the app from launching at the time of writing — so if you don't notice something's amiss, macOS will launch it.

iMore offers spot-on advice and guidance from our team of experts, with decades of Apple device experience to lean on. Learn more with iMore!

Once that happens XLoader will start watching Chrome and Firefox web browsers and start collecting data from them. Safari isn't targeted which is another reason to give it a try if you haven't of late.

The new iteration of XLoader is definitely going after business users so this is one for I.T. departments to be aware of. But it's another reminder that malware does exist on the Mac, no matter how much Apple's promotional materials might like to make it appear otherwise.

Oliver Haslam has written about Apple and the wider technology business for more than a decade with bylines on How-To Geek, PC Mag, iDownloadBlog, and many more. He has also been published in print for Macworld, including cover stories. At iMore, Oliver is involved in daily news coverage and, not being short of opinions, has been known to 'explain' those thoughts in more detail, too. Having grown up using PCs and spending far too much money on graphics card and flashy RAM, Oliver switched to the Mac with a G5 iMac and hasn't looked back. Since then he's seen the growth of the smartphone world, backed by iPhone, and new product categories come and go. Current expertise includes iOS, macOS, streaming services, and pretty much anything that has a battery or plugs into a wall. Oliver also covers mobile gaming for iMore, with Apple Arcade a particular focus. He's been gaming since the Atari 2600 days and still struggles to comprehend the fact he can play console quality titles on his pocket computer.