There is an increase in the sophistication of info thieves targeting macOS, allowing them to evade Apple's malware protection built into the operating system as these attackers have become better at cracking static signature-detection engines like the platform's proprietary XProtect, which makes it harder to detect malicious programs.
Currently, there are three active stealers, KeySteal, Atomic Infostealer, and CherryPie that can evade detection engines and have been able to get around multiple detection engines. XProtect's XProtect is currently evading a variant of the first two stealers, SentinelOne researchers revealed in a blog post earlier this week.
In macOS, XProtect is a built-in antivirus program that searches downloaded files and apps for malware signatures and then removes any that contain malware.
Information stealers targeting the macOS operating system have increased since the beginning of 2023, with many threat actors actively targeting Apple devices.
There have been a great deal of versions of Atomic Stealer, macOS meta-stealer, RealStealer, and many others that have been discovered in the past year. In macOS, Apple updated its built-in antivirus signature database called XProtect, which indicates that Apple has taken the necessary steps to prevent these info thieves from getting their hands dirty.
The threat actors, on the other hand, have been continuously evolving and evading known signatures of malware.
Although Apple continuously updates the tool's malware database, SentinelOne says it passes through it almost instantly due to the fast response of the malware authors over Apple's constant updates.
Many info thieves bypass it in a matter of seconds and can identify endpoints that are hidden in downloaded files and apps.
It is important to note that SentinelOne's report cites KeySteal as the first malware example, which has evolved significantly since the malware was first reported in 2021.
The software is currently available via an Xcode-built Mach-O binary, named either 'UnixProject' or 'ChatGPT,' and it attempts to establish persistence and steal keychain data, as well as stealing credentials and private keys, which are stored securely in Keychain.
Using Keychain, users can securely store credentials, private keys, certificates, and notes securely.
A SentinelOne report states that KeySteal has been improved to ensure persistence and Keychain data theft since its emergence in 2021, even though Apple updated its signature last February in an attempt to prevent it from being detected by XProtect and other antivirus engines.
A researcher claims that KeySteal operators could also use a rotation mechanism to circumvent problems related to the application's hard-coded command-and-control addresses, as a way of subverting those issues. There is some good news in all this, as Apple updated its XProtect signatures for CherryPie in early December 2023, which is a good sign that it has worked well for new versions of the OS as well.
However, malware detection has not always worked as well on Virus Total as it does on other security products. As is evident from the above, there is an ongoing development of malware programs intended to evade detection and so, on the one hand, this game of whack-a-mole is becoming a much more complex and dangerous one for both users and operating system vendors.
Having only static detection as a means of securing your systems would be inadequate, and potentially dangerous. Antivirus software equipped with heuristic or dynamic analysis capabilities should be incorporated into a comprehensive approach to achieve a more robust result.
As part of a comprehensive cybersecurity strategy, it is also essential to monitor network activity vigilantly, implement firewalls, and consistently keep up with the latest security updates, which are fundamental to ensuring security.