Increasingly sophisticated infostealers are targeting macOS with the capability to evade Apple's built-in malware protection, as attackers are becoming more savvy about how to crack static signature-detection engines like the platform's proprietary XProtect.
KeySteal, Atomic Infostealer, and CherryPie are three active stealers that can currently get past various detection engines - with variants of the first two currently evading macOS's XProtect, researchers from SentinelOne revealed in a blog post this week.
XProtect is macOS's built-in antivirus technology that scans downloaded files and apps for known malware signatures, removing any offending files.
There has been a rise of info-stealing malware targeting the macOS platform since early last year, and this trend already is off to a flying start in 2024 as attackers are evolving as quickly as defenders to evade new detection methods, according to SentinelOne.
Stealers Evade XProtect All three stealers outlined by SentinelOne have been previously identified but continue to evolve with new variants that show the sophisticated evasion capabilities.
KeySteal, first observed in 2021 by Trend Micro, has evolved significantly since it was first detected, and even since Apple added a signature nearly a year ago to XProtect to pick up the malware.
At this point the malware has changed so much that XProtect no longer can detect current versions.
Malware authors also now have modified the code to steal macOS keychain information and drop persistence components in various system locations.
One factor that remains consistent between the early and current iterations of KeySteal is the hardcoded command-and-control, which could help give threat hunters and static detections a clue in how to find it, he added.
Atomic Stealer also has evolved since it was identified last year, with SentinelOne currently observing various iterations in the wild.
While XProtect previously picked up a Go version of Atomic Stealer, SentinelOne has observed new variations written in C++ that the detection engine can't pick up, which also has low detection scores on VirusTotal.
The variant includes logic to prevent victims, analysts, or malware sandboxes from running the terminal at the same time as the stealer, and also checks to see if the malware is being run inside a virtual machine.
The new samples use hardcoded AppleScript in clear text rather than obfuscate the code, which already is a deviation from versions that appeared earlier this month.
Dmg file format, the researchers believe distribution of active Atomic Stealer variants likely comes through torrents or gaming-focused social media platforms.
CherryPie Denied by XProtect Despite recent updates, a third stealer called CherryPie still finds itself blocked by macOS XProtect, but other static-detection engines aren't faring as well against it, the researchers found.
The same malware also was identified as JaskaGo by AT&T Labs in December.
A recent sample of CherryPie - a cross-platform Windows/macOS stealer written in Go - remains undetected on VirusTotal until now, Stokes said.
Some versions of CherryPie that the researchers observed also use the legitimate open source Wails project to wrap their malicious code into an application bundle, Stokes added.
Protecting macOS Against Stealers Though historically macOS has been considered a relatively secure technology platform due to its proprietary nature, attackers' concerted efforts to target it have found more success in recent years.
Organized threat groups - some in particular from North Korea - have introduced new malware built specifically for the platform, with stealers being an especially popular way for attackers to hack macOS. This continued assault on the platform means macOS defenders need to remain vigilante and Apple also needs to stay on top of threats to ensure XProtect can block them, Stokes said.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 17 Jan 2024 16:20:13 +0000