January 17, 2024 at 11:26AM
Info-stealers like KeySteal, Atomic Infostealer, and CherryPie are increasingly targeting macOS by evading Apple’s built-in malware protection. These sophisticated stealers have evolved with new variants that can bypass detection engines, such as macOS’s XProtect. Even with recent updates, these malware strains pose a continued threat, necessitating ongoing vigilance from macOS defenders and Apple’s security measures.
Based on the meeting notes, the main takeaways are:
1. Increasingly sophisticated infostealers are targeting macOS and are becoming more capable of evading Apple’s built-in malware protection, such as XProtect.
2. KeySteal, Atomic Infostealer, and CherryPie are three active stealers that can get past various detection engines, with variants of the first two currently evading macOS’s XProtect.
3. KeySteal has evolved significantly since its first detection and has changed to the extent that XProtect can no longer detect current versions.
4. Atomic Stealer has evolved into various iterations in the wild, making it difficult for XProtect to pick up. It also includes logic to prevent detection and checks if it’s being run inside a virtual machine.
5. CherryPie, a cross-platform Windows/macOS stealer, remains blocked by macOS XProtect but is not faring as well against other static-detection engines.
6. Attackers are introducing new malware built specifically for macOS, highlighting the ongoing challenges facing macOS enterprise users and the need for vigilance from defenders and continuous efforts from Apple to update XProtect to block evolving threats.
These takeaways emphasize the evolving nature of infostealers targeting macOS and the need for continued adaptation and vigilance from both defenders and Apple to protect against these rapidly evolving malware strains.