Hackers are developing information-stealing malware for macOS at such a pace that Apple can’t keep up. As a result, multiple variants often bypass macOS’s anti-malware system, XProtect, and steal sensitive data from compromised endpoints.
This is evident from a new report from cybersecurity researchers SentinelOne, which gave three examples: KeySteal, Atomic Stealer and CherryPie. KeySteal is an information-stealing malware that was first noticed in 2021 and has evolved significantly since then. It’s designed to steal information from Keychain, macOS’s native password manager, where users can store login credentials, private keys, notes, and more.
The last time Apple updated its signature for KeySteal was about a year ago, in February 2023, but the malware has changed so dramatically since then that XProtect no longer detects it. The only weak point at the moment is the hardcoded command & control (C2) server address, but the researchers believe that the developers will address this soon as well.
Insufficient static detection
Atomic Stealer, on the other hand, was first spotted in May 2023, and although Apple updated XProtect’s signature in early January this year, some variants are still passing it by. Also known as AMOS, this infostealer can collect more than just keychain data. It steals information from most popular browsers (passwords, credit card details, etc.), as well as cryptocurrency wallets. It can also steal website cookies to bypass passwords and multi-factor authentication.
Finally, CherryPie (also known as Gary Stealer or JaskaGo) was first spotted in early September last year. The majority of variants are picked up by XProtect, but the researchers still say this is far from ideal.
The moral of the story, according to SentinelOne, is that organizations and consumers alike should not rely solely on static detection for security. A more robust approach is needed, which includes antivirus software with advanced dynamic or heuristic analysis capabilities.
Through BleepingComputer