Variant of XLoader Malware for macOS Found Under Guise of “Productivity App”
Plus, Creator of CypherRAT and CraxsRAT Malware Identified
XLoader Malware Disguised as “Productivity App” used for MaaS
A new strain of Apple macOS malware called XLoader has emerged, disguising itself as an innocent productivity app named "OfficeNote." Initially spotted by security researchers at SentinelOne, this variant marks a progression of the XLoader malware family, which was first uncovered in 2020. Unlike its predecessors, this version is concealed within an Apple disk image named "OfficeNote.dmg," with the contained application bearing the developer signature "MAIT JAKHU (54YDV8NU9C)."
XLoader is recognized for being an information thief and keylogger that operates using the malware-as-a-service (MaaS) model. While the original malware was distributed as a Java program requiring Java Runtime Environment (JRE), this new variant bypasses this requirement by using programming languages like C and Objective C. The malware's disk image file received a digital signature on July 17, 2023, which has since been revoked by Apple.
The malware was discovered through multiple submissions on VirusTotal throughout July 2023, suggesting a widespread distribution campaign. Interestingly, it is being advertised on criminal forums for Mac systems, with prices ranging from $199/month to $299 for three months, which is notably more expensive than its Windows counterparts.
Upon execution, the malicious "OfficeNote" app displays a fake error message to divert attention while surreptitiously installing a Launch Agent for long-term persistence. XLoader targets clipboard data and information stored in directories related to web browsers such as Google Chrome and Mozilla Firefox, but it avoids targeting Apple's Safari browser.
To evade detection, XLoader employs various tactics, including delaying its execution through sleep commands and avoiding actions that might raise suspicion. The researchers at SentinelOne conclude that this XLoader iteration poses a significant threat to macOS users, particularly those in work environments. The malware's goal is to steal sensitive browser and clipboard data, which can subsequently be exploited or sold to other malicious actors for further cyber compromise.
Syrian Hacker Named EVLF Responsible for CypherRAT and CraxsRAT Malware
Syrian threat actor EVLF has been identified as the creator of malware strains CypherRAT and CraxsRAT, enabling remote control of victim devices' cameras, microphones, and locations. These Remote Access Trojans (RATs) are part of a malware-as-a-service (MaaS) scheme, reportedly purchased by around 100 threat actors over three years. EVLF operates a web shop to advertise their products, active since September 2022.
CraxsRAT, an Android trojan, facilitates remote control of infected devices from Windows computers. The malware employs a builder for customization, including payload obfuscation, icon selection, and permissions for call logs, contacts, storage, location, and SMS access. Notably, its "Super Mod" feature prevents easy uninstallation. EVLF manages a Telegram channel with over 10,000 subscribers and has been detected on GitHub, though Microsoft has taken down some instances. In response to public exposure, EVLF recently announced the discontinuation of their project due to personal circumstances.
Jobs/Internships:
Ensono - Senior Solution Architect Network & Network Security - New Jersey
Two Six Technologies - Principal Firmware Reverse Engineer - Arlington, Virginia
HTC Global Services - Informatica Developer (IICS) - Dearborn, Michigan
CrowdStrike - Engineering Program Manager III (Remote) - Reading, England, United Kingdom
Signify - Intern Hue Full Stack Engineer - Data Platform - Eindhoven, North Brabant, Netherlands
Point72 - 2024 Summer Internship - Data Scientist, Proprietary Research - NYC, New York
Tesla - Internship, Embedded Software Engineer, Audio Systems (Winter/Spring 2024) - Palo Alto, California
Optiver - Software Engineer Intern (Summer 2024) - Austin, Texas