Macos Info Stealers Quickly Evolve To Evade Xprotect Detection

Hand reaching through a computer display

Multiple information stealers for the macOS platform have demonstrated the capability to evade detection even when security companies follow and report about new variants frequently.

A report by SentinelOne highlights the problem through three notable malware examples that can evade macOS’s built-in anti-malware system, XProtect.

XProtect works in the background while scanning downloaded files and apps for known malware signatures.

Despite Apple constantly updating the tool’s malware database, SentinelOne says info-stealers bypass it almost instantly thanks to the quick response of the malware authors.

Evading XProtect

The first example in SentinelOne’s report is KeySteal, a malware first documented in 2021, which has evolved significantly since then.

Currently, it is distributed as an Xcode-built Mach-O binary, named ‘UnixProject’ or ‘ChatGPT,’ and attempts to establish persistence and steal Keychain information.

Keychain is macOS’s native password management system serving as a secure storage for credentials, private keys, certificates, and notes.

KeySteal masqueraded as a ChatGPT app
KeySteal masqueraded as a ChatGPT app (SentinelOne)

Apple last updated its signature for KeySteal in February 2023, but the malware has received enough changes since then to pass undetected by XProtect and most AV engines.

Its only current weakness is using hardcoded command and control (C2) addresses, but SentinelOne believes it’s only a matter of time before KeySteal’s creators implement a rotation mechanism.

The next malware highlighted as an example of evasion is Atomic Stealer, first documented by SentinelOne in May 2023 as a new Go-based stealer and revisited by Malwarebytes in November 2023.

Apple last updated XProtect’s signatures and detection rules this month, but SentinelOne reports already observing C++ variants that can evade detection.

The latest Atomic Stealer version has replaced code obfuscation with cleartext AppleScript that exposes its data-stealing logic, includes anti-VM checks, and prevents executing the Terminal alongside it.

Auto-shutting the tTerminal
Auto-shutting the Terminal (SentinelOne)

The third example in the report is CherryPie, also known as ‘Gary Stealer’ or ‘JaskaGo,’ first seen in the wild on September 9, 2023.

The Go-based cross-platform malware features anti-analysis and virtual machine detection, Wails wrapping, ad hoc signatures, and a system that disables Gatekeeper using admin privileges.

Attempting to disable Gatekeeper
Attempting to disable Gatekeeper (SentinelOne)

The good news is that Apple updated its XProtect signatures for CherryPie in early December 2023, which work really well even for newer iterations. However, malware detections do not fare as well on Virus Total.

It becomes clear from the above that the continual development of malware with the goal of evading detection makes this a risky game of whack-a-mole for users and operating system vendors alike.

Relying solely on static detection for security is inadequate and potentially risky. A more robust approach should incorporate antivirus software equipped with advanced dynamic or heuristic analysis capabilities.

Additionally, vigilant monitoring of network traffic, implementing firewalls, and consistently applying the latest security updates are essential components of a comprehensive cybersecurity strategy.


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

To keep up to date follow us on the below channels.