A concerning trend has emerged on the macOS platform. Multiple information stealers have showcased a remarkable ability to outsmart detection, even in the face of frequent monitoring and reporting by security companies.
XProtect, macOS’s built-in anti-malware system, is designed to operate quietly in the background. It scans downloaded files and applications for known malware signatures, aiming to ensure a secure computing environment for users.
However, a recent report by SentinelOne sheds light on the challenges posed by three particularly noteworthy malware examples that successfully elude XProtect’s defenses.
KeySteal: A Persistent macOS Infostealer
First documented in 2021, the KeySteal macOS infostealer has undergone significant evolution to remain a persistent threat. Distributed as an Xcode-built Mach-O binary, masquerading as ‘UnixProject’ or ‘ChatGPT,’ this malware seeks to establish persistence and pilfer Keychain information.
Keychain, macOS’s native password management system, stores credentials, private keys, certificates, and notes securely. Despite Apple’s efforts to update XProtect’s signatures for KeySteal in February 2023, the malware’s rapid adaptations continue to slip past detection mechanisms.
While currently vulnerable due to hardcoded command and control addresses, SentinelOne anticipates the imminent implementation of a rotation mechanism by KeySteal’s creators.
Atomic Stealer: A Quickly Evolving Malware
A relatively recent entrant, Atomic Stealer, emerged in May 2023 as a Go-based stealer. Despite Apple’s continuous updates to XProtect’s signatures, SentinelOne has already observed C++ variants capable of evading detection.
The latest iteration of Atomic Stealer employs a clear-text AppleScript, abandoning code obfuscation to expose its data-stealing logic. Incorporating anti-VM checks and preventing the execution of the Terminal alongside it, this malware poses a dynamic challenge for security measures.
CherryPie: A Cross-Platform Stealer
First identified in September 2023, CherryPie, also known as ‘Gary Stealer’ or ‘JaskaGo,’ is a Go-based cross-platform macOS infostealer malware. Equipped with anti-analysis and virtual machine detection, ad hoc signatures, and the ability to disable Gatekeeper using admin privileges, CherryPie presents a formidable threat.
Conclusive Thoughts
While Apple’s prompt update of XProtect signatures in December 2023 proved effective against earlier versions, detections on platforms like Virus Total indicate potential vulnerabilities.
Relying solely on static detection mechanisms proves inadequate and potentially risky. A more dynamic and adaptable approach should include anti-malware software with advanced dynamic or heuristic analysis capabilities. This is especially true when it comes to macOS infostealers.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: