HQ/EMEAFind out how we can help your business
Malware authors of various macOS infostealers are getting more formidable as they continuously refine their tactics to outsmart the built-in anti-malware system, XProtect.
Despite Apple’s efforts to update its malware database, a recent report revealed three notable examples that successfully bypass the company’s main detection feature, emphasising the need for a comprehensive cybersecurity strategy.
Cybercriminals have caught up with XProtect, which allowed them to evade the security feature.
Apple’s XProtect primarily operates in the background, which allows it to scan downloaded files and applications for known malware signatures. However, the swift adaptability of malware developers has made XProtect susceptible to evasion.
KeySteal, documented in 2021, exposed this adaptability. Initially distributed under the names ‘UnixProject’ or ‘ChatGPT’ as an Xcode-built Mach-O binary, KeySteal persists in its attempts to steal Keychain information, exploiting macOS’s native password management system. Despite Apple’s update in February last year, KeySteal has undertaken significant upgrades, allowing it to evade detection run by XProtect and most antivirus engines.
The next instance that exploited XProtect is the Atomic Stealer. This Go-based infostealer, initially documented in May last year, has already evolved into C++ variants that can thwart the latest XProtect signatures and detection rules.
The third case in which an infostealer has outsmarted XProtect is through CherryPie, known as ‘Gary Stealer’ or ‘JaskaGo.’ First identified in September last year, this Go-based cross-platform malware features anti-analysis measures, virtual machine detection, Wails wrapping, ad hoc signatures, and Gatekeeper-disabling capabilities using admin privileges. While Apple successfully updated XProtect signatures for CherryPie in December 2023, the malware still poses challenges to various detection solutions.
The persistent upgrade of malware solutions emphasises the limitations of static detection methods, urging companies and users to employ a more robust cybersecurity approach. Relying solely on signature-based tools like XProtect is now inefficient as more infostealers become more dangerous.
Users and operating system vendors should adapt to remain one step ahead of malware developers. Incorporating antivirus software with advanced dynamic or investigative analysis capabilities becomes essential. Moreover, vigilant network monitoring, robust firewalls, and prompt implementation of security updates are crucial components of a comprehensive cybersecurity approach.
Finally, security providers could stay one step ahead against these threats with a proactive and multifaceted approach to protect users and systems from emerging malware strains.
