Hackers are developing data-stealing malware for macOS at such a pace that Apple can't keep up. As a result, multiple variants frequently bypass macOS's anti-malware system, XProtect, and steal sensitive data from compromised endpoints.
This is according to a new report from cybersecurity researchers SentinelOne, which gave three examples: KeySteal, Atomic Stealer, and CherryPie. KeySteal is an information theft malware first detected in 2021, which has evolved significantly since then. It is designed to steal information from Keychain, macOS's native password manager where users can store credentials, private keys, notes, and more.
The last time Apple updated its signature for KeySteal was about a year ago, in February 2023, but the malware has undergone such a dramatic change since then that XProtect no longer detects it. Its only weakness, for now, is the hard-coded command and control (C2) server address, but researchers believe developers will address this soon as well.
Inadequate static detection
Atomic Stealer, on the other hand, was first detected in May 2023, and although Apple updated the XProtect signature in early January this year, some variants are still overtaking it. Also known as AMOS, this information stealer is capable of more than just capturing Keychain data: it steals information from most popular browsers (passwords, credit card data, etc.) as well as cryptocurrency wallets. You can also steal cookies from websites to bypass passwords and multi-factor authentication.
Finally, CherryPie (sometimes referred to as Gary Stealer or JaskaGo) was first seen in early September of last year. XProtect detects most of its variants, but researchers still say it is far from ideal.
The moral of the story, according to SentinelOne, is that both organizations and consumers should not rely solely on static detection for security purposes. A more robust approach is needed, including antivirus software with advanced dynamic or heuristic scanning capabilities.
Via BleepingComputer
