Sophisticated macOS Infostealers Get Past Apple's Built-In Detection

Increasingly sophisticated infostealers are targeting macOS with the capability to evade Apple's built-in malware protection, as attackers are becoming more savvy about how to crack static signature-detection engines like the platform's proprietary XProtect.

KeySteal, Atomic Infostealer, and CherryPie are three active stealers that can currently get past various detection engines — with variants of the first two currently evading macOS's XProtect, researchers from SentinelOne revealed in a blog post this week. XProtect is macOS's built-in antivirus (AV) technology that scans downloaded files and apps for known malware signatures, removing any offending files.

Indeed, there has been a rise of info-stealing malware targeting the macOS platform since early last year, and this trend already is off to a flying start in 2024 as attackers are evolving as quickly as defenders to evade new detection methods, according to SentinelOne.

"Recent updates to macOS's XProtect signature database indicate that Apple are aware of the problem, but early 2024 has already seen a number of stealer families evade known signatures," SentinelOne threat researcher Phil Stokes wrote in the post.

Stealers Evade XProtect

All three stealers outlined by SentinelOne have been previously identified but continue to evolve with new variants that show the sophisticated evasion capabilities.

KeySteal, first observed in 2021 by Trend Micro, has evolved significantly since it was first detected, and even since Apple added a signature nearly a year ago to XProtect to pick up the malware. At this point the malware has changed so much that XProtect no longer can detect current versions.

Originally, KeySteal appeared in.pkg format with an embedded macOS utility called "ReSignTool" — a legitimate open source application for signing and bundling apps for distribution on iOS devices.

The latest versions of KeySteal no longer use the ReSign tool and instead appear in multi-architecture Mach-O binaries with names such as "UnixProject" and "ChatGPT," though how the infostealer is being distributed is unclear at this time, Stokes said. Malware authors also now have modified the code to steal macOS keychain information and drop persistence components in various system locations.

One factor that remains consistent between the early and current iterations of KeySteal is the hardcoded command-and-control (C2), which could help give threat hunters and static detections a clue in how to find it, he added.

Atomic Stealer also has evolved since it was identified last year, with SentinelOne currently observing various iterations in the wild. This indicates "completely different development chains rather than one core version that is being updated," Stokes wrote.

While XProtect previously picked up a Go version of Atomic Stealer, SentinelOne has observed new variations written in C++ that the detection engine can't pick up, which also has low detection scores on VirusTotal.

The variant includes logic to prevent victims, analysts, or malware sandboxes from running the terminal at the same time as the stealer, and also checks to see if the malware is being run inside a virtual machine (VM). Moreover, the new samples use hardcoded AppleScript in clear text rather than obfuscate the code, which already is a deviation from versions that appeared earlier this month.

With names such as "CrackInstaller" and "Cozy World Launcher" and its .dmg file format, the researchers believe distribution of active Atomic Stealer variants likely comes through torrents or gaming-focused social media platforms.

CherryPie Denied by XProtect

Despite recent updates, a third stealer called CherryPie (aka Gary Stealer) still finds itself blocked by macOS XProtect, but other static-detection engines aren't faring as well against it, the researchers found. The same malware also was identified as JaskaGo by AT&T Labs in December.

A recent sample of CherryPie — a cross-platform Windows/macOS stealer written in Go — remains undetected on VirusTotal until now, Stokes said.

Though the sample contains extensive logic for anti-analysis and VM detection, its authors appear to be hiding the malware in plain sight, "having left obvious strings embedded in the malware to indicate both its purpose (stealer) and its intent (malicious)," he wrote.

Some versions of CherryPie that the researchers observed also use the legitimate open source Wails project to wrap their malicious code into an application bundle, Stokes added.

Protecting macOS Against Stealers

Though historically macOS has been considered a relatively secure technology platform due to its proprietary nature, attackers' concerted efforts to target it have found more success in recent years. Organized threat groups — some in particular from North Korea — have introduced new malware built specifically for the platform, with stealers being an especially popular way for attackers to hack macOS.

This continued assault on the platform means macOS defenders need to remain vigilante and Apple also needs to stay on top of threats to ensure XProtect can block them, Stokes said.

"The continued prevalence and adaptation of macOS infostealers … underscores the ongoing challenges facing macOS enterprise users," he wrote. "Despite solid efforts by Apple to update its XProtect signature database, these rapidly evolving malware strains continue to evade."