Rewterz Threat Alert – Info-Stealers Evolve to Evade Built-In MacOS XProtect Detection – Active IOCs

Severity

High

Analysis Summary

Various information stealers designed to target the macOS platform have evolved to the point where they have developed the capability to evade detection of macOS’s built-in anti-malware system, XProtect, even when security companies frequently report new malware variants.

XProtect runs in the background and scans downloaded files and apps for known malware signatures. Researchers have uncovered three notable malware that can evade XProtect. Despite the continuous updating of the security tool’s malware database by Apple, info-stealers are still able to bypass it constantly due to the malware developers responding quickly.

The first malware is KeySteal which was discovered in 2021 and has evolved significantly since then. It is currently spread as an Xcode-built Mach-O binary called ‘UnixProject’ or ‘ChatGPT’. It attempts to establish persistence and steal Keychain information. Keychain is macOS’s built-in password management system that is used as a secure storage for private keys, credentials, notes, and certificates.  The signature for KeySteal was last updated by Apple in February 2023, but the stealer malware has received many updates since then which makes it unable to be detected by XProtect and most other anti-virus solutions. The only current weakness the malware has is using hardcoded command-and-control (C2) addresses, but it is believed that KeySteal will soon implement a rotation mechanism.

The second malware notable for its evasion techniques is Atomic Stealer, which was first uncovered in May 2023 as a novel Go-based stealer. The latest update to XProtect’s signatures and detection rules was this month, but researchers report that there are already new malware variants that are evading detection. The newest Atomic Stealer version has replaced code obfuscation with cleartext AppleScript that exposes its logic used for stealing data, includes anti-virtual machine checks, and prevents the Terminal from being executed alongside it.

The third example used by the researchers is CherryPie (aka Gary Stealer or JaskaGo), first spotted in the wild in September 2023. This is another Go-based malware with cross-platform features and the ability for anti-analysis and virtual machine detection, ad hoc signatures, Wails wrapping, and a system that can disable Gatekeeper by using admin privileges. Fortunately, Apple updated its XProtect signatures for CherryPie at the start of December 2023 which can detect even the newer versions of the malware. However, other security products still struggle with detecting it.

The constant development of malware with the aim of detection evasion makes the malware very risky for operating system vendors as well as users. Relying on just a static detection for security is risky with the continuous advancement of malware and a better approach is required that should make antivirus software have dynamic capabilities. In addition to that, vigilant monitoring of network traffic, consistently applying the latest security patches, and implementing firewalls is now very essential to keep systems secure.

Impact

• Sensitive Information Theft
• Security Bypass

Indicators of Compromise

MD5

• 93e0911f473c6422c488f0ae959b0562
• 00e0b254e6fc68f4c4219648c3b06314
• 362150e9ae9f14d3df4bea25f282ee1a
• 5a3aa7a9f2b354d755fab6999ea77afc
• 7b3de353a98fad9e7e35ade0f4d87f61
• 7b33086c6d508b025d0a9438b0c8195e
• c1e0870ad2f96a6f895fab8daa4c46ab
• 1dfad046a2b285fa6f316419ed905919
• 996862edc22657056e59efffdf13da45
• 97dfcba1e00d2f2fb08ed2b5ec228c95
• b53fe5f94c2317a79b1150bbed05c478
• f4253dcd1f1fe006f0081e237378265c

SHA-256

• 9d0d179e56d5bdecdfd4eb112a883a45b82d055f366d4559a80c627d6dbe4b8d
• fc7d996d386e85de91f389334915e0cedd05b8e3213d0ecaf18b43947c005b91
• 52ec40b4346ab50742790c07d704608b6ad5de91402cd2751075290efb2253dc
• 2654310996c06e12a397e6dfb50e2c57f1ae83407f651e6957e11f5d46cab6af
• 6336da7425c3788f85bddc4426a2dc3307d5fbc363558e4ebadbb775dfcb0ba5
• 658efdfac22c2248c6c10289f0e83d3484e52a8edbad6d4bbbe1b75de9a730e2
• 94c5954c3c7e700c010d7fe3d68036c0946300f263af616be000b26c4dadd0a6
• 5dc7fbd6d80ce14aa3c8d114ec4624cde71ebb1accd6da8c907903a573ac32b0
• 5585a0b45dc373696a3636014c8b3a2fb4ca8aa7d7179b3cb57d4d61cf787cd9
• 6cdda60ffbc0e767596eb27dc4597ad31b5f5b4ade066f727012de9e510fc186
• 17abde02a70482368bedb932f792b2b4064c4747c52662d855701651aa5fc7c7
• 207b5ee9d8cbff6db8282bc89c63f85e0ccc164a6229c882ccdf6143ccefdcbc

SHA-1

• 95d775b68f841f82521d516b67ccd4541b221d17
• f75a06398811bfbcb46bad8ab8600f98df4b38d4
• 1b90ea41611cf41dbfb2b2912958ccca13421364
• 2387336aab3dd21597ad343f7a1dd5aab237f3ae
• 8119336341be98fd340644e039de1b8e39211254
• 973cab796a4ebcfb0f6e884025f6e57c1c98b901
• b30b01d5743b1b9d96b84ef322469c487c6011c5
• df3dec7cddca02e626ab20228f267ff6caf138ae
• 04cbfa61f2cb8daffd0b2fa58fd980b868f0f951
• 6a5b603119bf0679c7ce1007acf7815ff2267c9e
• 72dfb718d90e8316135912023ab933faf522e78a
• 85dd9a80feab6f47ebe08cb3725dea7e3727e58f

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Be vigilant when downloading software and double-check the URL to see if it is legitimate.
• Never download software from untrusted sources.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness.