CTI Roundup: An XLoader macOS variant, Lazarus Group Update, and Hackers Abuse Facebook Ads

First in this week’s roundup is an overview of a new XLoader malware variant for macOS that poses as an office productivity application. Next, CTI investigates the Lazarus Group’s latest campaign and the discovery of a new threat called CollectionRAT. Finally, CTI explains how threat actors abuse Facebook promotions featuring large language models (LLMs) to spread malicious code.

XLoader macOS variant poses as a productivity app

Sentinel One has discovered a variant of the macOS malware XLoader in the wild. The campaign masquerades its malicious features by posing as an office productivity app called OfficeNote while bundling the XLoader variant inside a standard Apple disk image.

What is XLoader malware?

XLoader malware is a rebrand of Formbook malware. It primarily operates as an infostealer for both Windows and macOS.

XLoader surfaced in underground cybercrime forums in early 2020, shortly after Formbook was shut down by its author. The first macOS variant was spotted in 2021 and was notable for being distributed as a Java program. The malware is sold as a malware-as-a-service (MaaS) agreement, giving subscribers access to the administrative panel and executable builds.

The new macOS XLoader variant is written natively in C and Objective C programming languages. It is signed with an Apple developer signature and masquerades itself as an office productivity app called OfficeNote.

How is XLoader malware distributed?

The latest XLoader variant is bundled within a standard Apple disk image named OfficeNote.dmg. This variant is signed with the developer signature of MAIT JAKHU and was signed on July 17, 2023. Apple has since revoked the signature. However, SentinelOne’s tests indicate that Apple’s malware-blocking tool does not have a signature to prevent the execution of this malware.

Several samples of this variant have appeared on VirusTotal throughout July, indicating that it is likely being distributed in the wild. Underground crime forums advertise this new macOS variant for $199 monthly or $299 for three months. This is relatively expensive compared to the Windows XLoader variant, which is listed at $59 per month.

Dropper and persistence

When this variant is executed, the OfficeNote application is hardcoded to throw an error message telling the user that the application cannot be opened. In the background, the malware is dropping its payload and installing a persistence agent. This message is hardcoded using a stack string technique that was used in previous XLoader variants.

The payload is dropped in the user’s home directory as ~/73a470tO and is executed. It creates a hidden directory and a barebones minimal application within the directory. While the name of the payload is hardcoded in the dropper, the name of the hidden directory, application, and executable are randomized for each execution. A LaunchAgent is also dropped in the user’s Library folder so that the binary can distinguish between its first run and following runs.

Payload behavior

The XLoader malware attempts to steal secrets from the clipboard via the Apple API NSPasteboard and generalPasteboard. It can also target Firefox and Chrome browsers to read login data files. Strangely enough for a macOS variant, it does not appear to target the Safari browser.

The malware will use dummy network calls to obfuscate the real C2. SentinelOne observed 169 DNS name resolutions and 203 HTTP requests and identified a handful of suspicious IPs from this activity. It attempts to evade analysis in a few ways. The dropper and payload will try to prevent debuggers from attaching with Ptrace. The malware will also execute sleep commands to delay its activity.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The latest macOS variant of XLoader clearly targets users within a working environment, based on the fact that it masquerades an office productivity app. Its high price point on underground cybercriminal forums relative to its Windows variants also indicates that its developers think there will be a bigger interest/ROI in this variant. As SentinelOne points out, XLoader continues to threaten macOS users and businesses.”

2. North Korean Lazarus Group uses new malware

Cisco Talos recently investigated the Lazarus Group’s latest campaign in which the group exploited a ManageEngine ServiceDesk vulnerability to deploy multiple threats.

Their investigation into this campaign — along with reused infrastructure components — led them to the discovery of a new threat called CollectionRAT. Lazarus Group is also shifting tactics and increasingly relying on open-source tools in the initial access phase.

Reuse of infrastructure

The North Korean state-sponsored threat actor is continuing to use a lot of the same infrastructure in recent campaigns, even though many of these components have been documented by researchers over the years.

While this may seem like a strange thing to do, it highlights the group’s confidence in their attacks. This latest campaign serves as a reminder of how active this group is.

An evolving arsenal

The newly discovered CollectionRAT malware consists of a range of typical RAT capabilities, like the ability to run arbitrary commands and manage files on the device.

The implant leverages a packed Microsoft Foundation Class (MFC) library-based Windows binary to decrypt and execute the malware. The MFC framework here is solely used as a wrapper and decryptor for the actual malicious code.

The malware will gather system information to fingerprint the infection and send this along to the command and control (C2) server. It will receive commands back from the C2 server to carry out a variety of tasks. It has the ability to create a reverse shell, read/write files from the disk, and spawn new processes to download and deploy more payloads. It can also remove itself from the device when instructed to do so by the C2.

CollectionRAT and its link to EarlyRAT

Cisco Talos analyzed the IOCs associated with CollectionRAT and found a link to EarlyRAT which is a malware that has been attributed to the Andariel subgroup of Lazarus.

CollectionRAT was signed with the same certificate used to sign an older version of EarlyRAT from 2021. Both malwares used the same certificate with the same serial number and thumbprint. EarlyRAT is often deployed via the successful exploitation of the Log4j vulnerability.

Using open-source tools during initial access

The Lazarus group seems to be shifting its tactics by increasingly relying on open-source tools and frameworks during the initial access phase of their attacks, as opposed to only employing them in the post-compromise phase.

The group previously relied on custom-built implants like MagicRAT to establish persistent initial access on a compromised machine. The custom implants were then used to deploy open-source tools. This campaign is an example in which the threat actor used the open-source DeimosC2 framework for initial and persistent access.

Lazarus Group is also observed using the reverse shell tunneling tool PuTTY Link (Plink). In the past, the threat actor used Plink to establish remote tunnels. However, the threat actor has now started generating malicious Plink binaries out of the tool’s source code to embed reverse tunnel command strings in the binary itself.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The fact that Lazarus Group is using new malware in its attacks is something that is almost to be expected at this point, given how active and agile the group is.”

“Along this same vein, the threat actor is shifting tactics to leverage open-source tools in the initial access phase of attacks. The group historically leveraged open-source tools solely in the post-compromise phase, marking a clear evolution. The reason for this shift isn’t clear, but it does seem to align with threat actors’ constant evolution and with much of what we’re seeing in the threat landscape.”

3. Threat actors abuse Facebook promotions to spread malicious code

Recent research by Trend Micro discusses how threat actors abuse Facebook promotions featuring LLMs to spread malicious code, with the goal of installing a malicious browser add-on and stealing credentials. The threat actor leverages URL shorteners for URL link redirection, Google sites for web hosting, and cloud storage services like Google Drive and Dropbox to host malicious files.

Facebook promotions as an infection vector

The threat actor leverages Facebook’s paid promotions to trick potential victims with advertisements featuring fake profiles of marketing companies. These fake profiles often include purchased or bot followers, fake reviews by other hijacked profiles, and a limited online history. The advertisements promise to boost productivity, increase reach and revenue, or assist in teaching — all with the help of artificial intelligence. In some cases, the threat actor claimed to provide access to Meta AI.

Once the user clicks on the advertisement, they are redirected to a basic website that outlines the advantages of using LLM. The site includes a link for downloading the AI package. To avoid detection by AV solutions, the threat actor distributes the package as an encrypted archive with simple passwords like 999 or 888.

Package analysis

When the archive is opened and decrypted with the correct password, it contains a single MSI installer file. When the installer is executed, the installation process will drop files belonging to a Chrome extension. It will then run a batch script to kill the currently running browser and restart it with a malicious extension that impersonates Google Translate.

Malicious extension analysis

The main logic of the malicious extension is found in the extension service worker script. After deobfuscation, Trend Micro was able to analyze its stealing capabilities.

The script first attempts to steal Facebook cookies, checking for the presence of c_user. It will then move on to steal the access token and use it to request additional information from Facebook’s GraphQL. With this token, the script can query Facebook’s GraphQL API, enumerating the account’s managed pages and information about them. The stealer will also attempt to get the IP address of the victim. The stolen information is concatenated, URL encoded, base64 encoded, and exfiltrated to a C2 server.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“This campaign and threat actor appears to target business social networking managers, administrators, and marketing specialists, indicating a fairly targeted attack.”

“Meta removed the fraudulent pages and ads after Trend Micro brought the issue to their attention, but this is often a whack-a-mole situation that is hard to eliminate fully.”

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.