One of the worst Mac malware strains is back and hiding as a productivity app - so beware

No, OfficeNote is not a real app - it’s just Mac malware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

If you stumble upon an app that claims to be a productivity solution called OfficeNote, ignore it and walk away - it’s just a piece ofmalwaretrying to steal sensitive data from your macOS device.

Cybersecurity researchers from SentinelOne recently published ablog postdetailing their discovery of a brand new version of XLoader, an eight-year-old malware-as-a-service which now comes written in an entirely different programming language, but capable of wreaking just as much havoc as before.

As per the report, XLoader is an infostealer and a botnet that’s capable of stealing secrets stored in people’s browsers, and more. The older versions were written in Java, but given that macOS no longer supports it by default, the new version is written from scratch in C and Objective C. Furthermore, it’s shipped with anAppledeveloper signature MAIT JAKHU (54YDV8NU9C). The researchers did not elaborate on how the attackers obtained this signature.

Rising in popularity

In any case, the signature has since been revoked by Apple, but Cupertino’s built-in malware blocker, XProtect, is yet to start spotting the malware, they say.

The infostealer is growing immensely popular, the researchers further claim, saying that “multiple submissions” popped up on VirusTotal last month, an indication of rising popularity. On the dark web, the Mac version of the service costs $199/month, or $200 a month for three months - quite the price hike compared to the Windows version ($59 a month, or $129 for three months).

Learn coding skills with the best Python online courses>More malware is being hidden in PNG images, so watch out>Check out the best productivity tools around

If you do end up installing “OfficeNote” on your endpoint, you’ll get a message saying the application doesn’t work. In the background, however, the application works just as intended, dropping payloads and installing persistence agents. If it runs unchecked, the malware will try to steal secrets from the user’s clipboard, and look for secrets in Chrome and Firefox. Interestingly enough,Safariisn’t being targeted.

Finally, XLoader tries really hard to keep its C2 server a secret, using multiple dummy network calls to throw researchers off their trail. SentinelOne observed 169 DNS name resolutions and 203 HTTP requests.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

The 6 best electric motorcycle concepts and launches from EICMA 2024