Hackers are developing infostealing malware for macOS at such pace that Apple can’t keep up. As a result, multiple variants frequently move past macOS’ anti-malware system, XProtect, and steal sensitive data from compromised endpoints.
This is according to a new report from cybersecurity researchers SentinelOne, which gave three examples: KeySteal, Atomic Stealer, and CherryPie. KeySteal is an infostealing malware first spotted in 2021, which has evolved significantly since then. It is designed to steal information from Keychain, macOS’ native password manager where users can store credentials, private keys, notes, and more.
Last time Apple updated its signature for KeySteal was roughly a year ago, in February 2023, but the malware has undergone such a dramatic change since then that XProtect no longer detects it. Its only weakness, at the moment, is the hardcoded command & control (C2) server address, but the researchers believe the developers will address this soon, as well.
Inadequate static detection
Atomic Stealer, on the other hand, was first spotted in May 2023, and even though Apple updated XProtect’s signature in early January this year, some variants are still moving past it. Also known as AMOS, this infostealer is capable of more than just grabbing Keychain data, it steals information from the majority of popular browsers (passwords, credit card data, etc.), as well as cryptocurrency wallets. It can also steal website cookies to bypass passwords and multi-factor authentication.
Finally, CherryPie (sometimes referred to as Gary Stealer, or JaskaGo) was first seen in early September last year. The majority of its variants get picked up by XProtect, but the researchers still say it’s far from ideal.
The moral of the story, according to SentinelOne, is that organizations and consumers alike should not rely solely on static detection for security. A more robust approach is needed, one which includes antivirus software featuring advanced dynamic or heuristic analysis abilities.
Via BleepingComputer