MacOS devices are being hit by new malware strains - and they're able to quickly evolve to avoid detection

News
By published

The tug-of-war between hackers and Apple continues at pace

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)

Hackers are developing infostealing malware for macOS at such pace that Apple can’t keep up. As a result, multiple variants frequently move past macOS’ anti-malware system, XProtect, and steal sensitive data from compromised endpoints. 

This is according to a new report from cybersecurity researchers SentinelOne, which gave three examples: KeySteal, Atomic Stealer, and CherryPie. KeySteal is an infostealing malware first spotted in 2021, which has evolved significantly since then. It is designed to steal information from Keychain, macOS’ native password manager where users can store credentials, private keys, notes, and more.

Last time Apple updated its signature for KeySteal was roughly a year ago, in February 2023, but the malware has undergone such a dramatic change since then that XProtect no longer detects it. Its only weakness, at the moment, is the hardcoded command & control (C2) server address, but the researchers believe the developers will address this soon, as well. 

Reader Offer: Save up to 68% on Aura identity theft protection

Reader Offer: Save up to 68% on Aura identity theft protection
TechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal. Save up to 50% today. 

 Preferred partner (What does this mean?) 

View Deal

Inadequate static detection

Atomic Stealer, on the other hand, was first spotted in May 2023, and even though Apple updated XProtect’s signature in early January this year, some variants are still moving past it. Also known as AMOS, this infostealer is capable of more than just grabbing Keychain data, it steals information from the majority of popular browsers (passwords, credit card data, etc.), as well as cryptocurrency wallets. It can also steal website cookies to bypass passwords and multi-factor authentication.

Finally, CherryPie (sometimes referred to as Gary Stealer, or JaskaGo) was first seen in early September last year. The majority of its variants get picked up by XProtect, but the researchers still say it’s far from ideal. 

The moral of the story, according to SentinelOne, is that organizations and consumers alike should not rely solely on static detection for security. A more robust approach is needed, one which includes antivirus software featuring advanced dynamic or heuristic analysis abilities. 

Via BleepingComputer

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A person in a wheelchair working at a computer.
Why betting on Mac security could put your organization at risk
Ransomware
Microsoft spies a new and worrying macOS malware strain
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Illustration of a laptop with a magnifying glass exposing a beetle on-screen
This devious macOS malware is evading capture by using Apple's own encryption
Image of laptop infected with malware threat
This devious new macOS malware disguises itself as Chrome, Zoom installers
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
These fake macOS updates are actually just looking to spread malware
Latest in Security
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
An American flag flying outside the US Capitol building against a blue sky
Five Eyes "cannot replace US intel in Ukraine", claims former US Cyber Command Chief
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Criminals are using a virtual hard disk image file to host and distribute dangerous malware
WordPress on a laptop
Over 20,000 WordPress sites hit by damaging malware campaign
Trojan
WhatsApp patches security flaw which let hackers install spyware
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedly left users exposed for months
Latest in News
Quordle on a smartphone held in a hand
Quordle hints and answers for Friday, March 21 (game #1152)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Friday, March 21 (game #383)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Friday, March 21 (game #649)
The ASSC Assassin's Creed collection.
The Assassin's Creed x Anti Social Social Club drop includes gaming merch that I wouldn't be embarrassed to wear
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
Boston Dynamics all electric Altas
This robot can do a cartwheel better than me and now I'm freaking out – but in a good way
More about security
Lock on Laptop Screen

Data breach at Pennsylvania education union potentially exposes 500,000 victims
Trojan

WhatsApp patches security flaw which let hackers install spyware
Amazon cheap tech gadgets under $50

Amazon's latest sale is filled with cheap tech gadgets: here are 16 deals I'd buy under $50
See more latest
Most Popular
The ASSC Assassin's Creed collection.
The Assassin's Creed x Anti Social Social Club drop includes gaming merch that I wouldn't be embarrassed to wear
Quordle on a smartphone held in a hand
Quordle hints and answers for Friday, March 21 (game #1152)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Friday, March 21 (game #383)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Friday, March 21 (game #649)
Living room with Microsoft Xbox Series X (L) and Sony PlayStation 5 home video game consoles alongside a television and soundbar, taken on November 3, 2020.
The PS5 is currently selling faster than the PS4 did in the US, but I'm surprised to discover that the Xbox Series X and S are trailing behind Xbox One
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
Samsung Galaxy Tab S9 FE Plus on a desk showing the rear of the device from above
The Samsung Galaxy Tab S10 FE could be a powerful iPad Air rival, based on the latest specs rumors
Trojan
WhatsApp patches security flaw which let hackers install spyware
God of War 20th anniversary vinyl box set.
The God of War 20th anniversary vinyl box set features 13 discs and 150 remastered songs
Boston Dynamics all electric Altas
This robot can do a cartwheel better than me and now I'm freaking out – but in a good way