Security Bite: Here's what malware your Mac can detect and remove

Have you ever wondered what malware macOS can detect and remove without the help of third-party software? Apple is constantly adding new malware detection rules to the built-in XProtect for Mac. Although most rule names (signatures) are confusing, security researchers can match them to industry-standard names with a little reverse engineering. See what malware your Mac can remove below!

9to5Mac Security Bite is provided exclusively by Mosyle, Apple's only unified platform. Everything we do is to ensure Apple devices are ready and secure in the enterprise. Our unique integrated approach to management and security combines Apple's most advanced security solutions for fully automated hardening and strengthening of security. Compliance, next-gen EDR, AI-powered zero trust, and exclusive privilege management with the most powerful and advanced Apple MDM on the market. The result is Apple's fully automated, unified platform, now trusted by more than 45,000 organizations, to provision millions of Apple devices effortlessly and affordably. Request an EXTENDED TRIALtoday and see why Mosyle is all you need for your Apple experience.

XProtect, Yara rules, right?

XProtect was introduced in 2009 as part of macOS X 10.6 Snow Leopard. It was originally released to detect and alert users if malware was found in an installation file. However, XProtect has changed significantly recently. The demise of the long-time Malware Removal Tool (MRT) in April 2022 introduced XProtectRemediator (XPR), a more powerful built-in malware protection component responsible for detecting and remediating threats on Mac.

XProtect uses malware detection based on Yara signatures. Yara itself is a widely used open source tool that identifies files (including malware) based on certain characteristics and patterns in code or metadata. What's so great about Yara's rules is that any organization or individual can create and use their own, including Apple.

Starting with macOS 14 Sonoma, XProtect consists of three main components:

1. The XProtect app itself, which can detect malware using Yara rules the first time the app is launched, changes or updating its signatures.
2. XProtectRemediator (XPR) is more proactive and can detect and remove malware, among other things, by regularly scanning using Yara rules. They occur in the background during periods of low activity and have minimal impact on the processor.
3. XProtectBehaviorService (XBS)was added to the latest version of macOS and monitors behavior systems regarding critical resources.

Unfortunately, Apple primarily uses generic internal naming schemes in XProtect, which hide common malware names. While this is done for good reason, it creates a challenge for those who are interested in knowing exactly what malware XProtect can identify.

For example, some Yara rules are given more obvious names, such as the XProtect_MACOS_PIRRIT_GEN signature. to detect Pirrit adware. However, in XProtect you will mostly find more general rules, such as XProtect_MACOS_2fc5997, and internal signatures that only Apple engineers know, such as XProtect_snowdrift. This is where security researchers like Phil Stokes and Alden come in.

Phil Stokes of Sentinel One Labs runs a handy GitHub repository that matches these confusing signatures used by Apple with more common names used by vendors and found in public malware scanners like VirusTotal. Moreover, Alden has recently made significant progress in understanding how XPR works by extracting Yara rules from the scanning engine binaries.

Which malware can be removed on macOS?

While the XProtect app itself can only detect and block threats, for removal it all comes down to the XPR scanning engines. We can currently identify 14 of them. There are 23 remediators in the current version of XPR (v133) to protect your computer from malware.

23 scanning modules in XProtectRemdiator v133

1. Advertising downloader: An adware and bundleware downloader targeting macOS users since 2017. Adload may have evaded detection until a major update to XProtect last month, which added 74 new Yara detection rules, all of which targeted malware.
2. BadGacha: Not identified yet.
3. BlueTop: “BlueTop appears to be a Trojan proxy campaign , which was reviewed by Kaspersky at the end of 2023” – says Alden.
4. CardboardCutout: Not identified yet.
5. ColdSnap:“ColdSnap is most likely looking for the macOS version of the SimpleTea malware. This has also been linked to the 3CX hack and shares similarities with both Linux and Windows variants.” SimpleTea (SimplexTea on Linux) is a remote access trojan (RAT) believed to have originated in North Korea.
6. Crapyrator:Crapyrator has been identified as macOS.Bkdr.Activator. This is a malware campaign, discovered in February 2024, that “infects macOS users on a massive scale, potentially with the goal of creating a macOS botnet or delivering other malware on a large scale,” according to Sentinel One's Phil Stokes.
7. DubRobber:An alarming and versatile Trojan dropper, also known as XCSSET.
8. Eicar: A harmless file specially created to run virus scanners without causing harm.
9. FloppyFlipper: not yet identified.
10. Genieo: >Very commonly documented potentially unwanted program (PUP). So much so that it even has its own Wikipedia page.
11. GreenAcre:Unidentified yet.
12. KeySteal:KeySteal – is an information theft tool for macOS, first discovered in 2021 and added to XProtect in February 2023.
13. MRTv3: This is a set of components for detecting and removing malware inherited from XProtect from its predecessor, the Malicious Removal Tool (MRT).
14. Pirrit:Pirrit is adware for macOS that first appeared in 2016. It is known to inject pop-up advertisements into web pages. , collect users' personal browser data, and even manipulate search rankings to redirect users to malicious pages.
15. RankStank: “This rule is one of the most obvious because it includes paths to malicious executable files found in the 3CX incident,” says Alden. 3CX is a supply chain attack attributed to the Lazarus Group.
16. RedPine:With less certainty, Alden argues that RedPine is most likely a response to TriangleDB from Operation Triangulation.
17. RoachFlight: not yet identified.
18. SheepSwap

strong>: not yet identified.

19. ShowBeagle:not yet identified.
20. SnowDrift: identified as CloudMensis spyware for macOS.
21. ToyDrop: Not identified yet. li>
22. Trovi: Similar to Pirrit, Trovi is another cross-platform browser hijacker. It is known to redirect search results, track browsing history, and insert its own advertisements into searches.
23. WaterNet: Not yet identified.

How to find XProtect?

XProtect is enabled by default on all versions of macOS. It also works at the system level, completely in the background, so no intervention is required. XProtect updates are also automatic. Here's where it is:

1. In Macintosh HD go to Library > Apple> System > Library > CoreServices
2. Here you can find recovery tools by right-clicking XProtect
3. Then click Show package contents >
4. Expand Contents
5. Open MacOS

Note: Users should&#8217 Do not rely entirely on Apple's XProtect suite as it is designed to detect known threats. More sophisticated attacks can easily bypass detection. I highly recommend using third-party malware detection and removal tools.

About Security Bite: Security Bite is a weekly security column. 9to5Mac. Every week, Arin Vaichulis provides data privacy intelligence, exposes vulnerabilities, and sheds light on emerging threats across Apple's vast ecosystem of more than 2 billion active devices. Stay safe, stay safe.

More in this series

• Did Apple just declare war on Adload malware?
• Cybercriminals take advantage of third-party service Apple Store Online
• Annual damage from cybercrime will reach $9.2 trillion in 2024
• iCloud Mail, Gmail and others are shockingly bad at detecting malware, study finds.