After releasing new beta versions last week, Apple has released one of the most significant updates to XProtect I've ever seen. ever seen. The macOS Malware Detection Tool has added 74 new Yara detection rules, all targeting one threat: Adload. So what is it and why does Apple think it's such a problem?
9to5Mac Security Bite is provided exclusively by Mosyle, Apple's only unified platform.. Everything we do is to ensure Apple devices are ready and secure in the enterprise. Our unique, integrated approach to management and security combines Apple's most advanced security solutions to fully automate the security and safety of your data. Compliance, next-gen EDR, AI-powered zero trust, and exclusive privilege management with the most powerful and advanced Apple MDM on the market. The result is Apple's fully automated, unified platform, now trusted by more than 45,000 organizations, to provision millions of Apple devices effortlessly and affordably. Request an EXTENDED TRIALtoday and see why Mosyle is all you need for your Apple experience.
XProtect, Yara rules, right?
XProtect was introduced in 2009 as part of macOS X 10.6 Snow Leopard. It was originally released to detect and alert users if malware was found in an installation file. However, XProtect has changed significantly recently. The demise of the long-time Malware Removal Tool (MRT) in April 2022 introduced XProtectRemediator (XPR), a more powerful built-in malware protection component responsible for detecting and eliminating threats on the Mac.
Starting with macOS 14 Sonoma, XProtect consists of three main components:
- The XProtect app itself, which can detect malware using Yara rules Anytime. the application first runs and changes or updates its signatures.
- XProtectRemediator is more proactive and can detect and remove malware using regular Yara scanning. They occur in the background during periods of low activity and have minimal impact on the processor.
- XProtectBehaviorService (XBS)was added to the latest version of macOS and monitors system behavior towards critical resources.
XProtect uses Yara signature-based malware detection. Yara itself is a widely used open source tool that identifies files (including malware) based on certain characteristics and patterns in code or metadata. What's so great about Yara's rules is that any organization or individual can create and use their own, including Apple.
The company primarily uses generic or internal naming schemes in XProtect, which hide the real names of the malware. This makes identifying them a little difficult. Thanks, Apple (sigh). Some rules are given meaningful names, such as XProtect_MACOS_PIRRIT_GEN, a signature for Pirrit adware detection. However, there are also more general rules, such as XProtect_MACOS_2fc5997, or internal rules, such as XProtect_snowdrift.
Phil Stokes of Sentinal One Labs runs a handy GitHub repository that matches these confusing malware family names with common names in the industry. I highly recommend you take a look.
Well, XProtect v2192 has 74 new rules 🤩, so it'll take me a while to update https://t.co/Fgr7MGgRL2 with sample hashes, but it's interesting to see Apple trying to break Adload' The entire code base. 🙌🦾 pic.twitter.com/n0eX6FfSEh
— Phil Stokes ⫍🐠⫎ (@philofishal) April 25, 2024
Ad Load Wars: Apple Strikes Back
It appears that with XProtect v2192, Apple can now detect the entire Adload codebase and all existing variations of the once widespread adware and bundle downloader targeting macOS users since 2017. For anyone following this saga, this is long overdue.
Once Adload infiltrates a Mac (i.e. tricks the user with legitimate software), it hijacks search engine results, injecting its own advertisements and recommending users visit sites that may pay the attackers a commission. This is in addition to any personal information it may collect.
What's more, the malware family recently managed to evade detection by both Gatekeeper and XProtect because they were “signed” with an Apple developer certificate, as well as “notarized”” and up until last week, many strains did not match malware profiles in the XProtect database. This has undoubtedly been a real headache for Apple's security teams, who I can imagine uploaded 74 new rules with great glee.
Most of all, this is a huge win for regular Mac users who work without any -third-party software to detect and remove malware.
By default, XProtect updates automatically. Upgrading to the latest version of macOS Sonoma is not required, but is highly recommended!
More in this series
- iCloud Mail, Gmail and others are shockingly bad at detecting malware, study finds.
- Cybercriminals are taking advantage of Apple's third-party Store Online system
- Here's what malware can remove your Mac
- A self-destructing strain of macOS malware disguised as a legitimate Mac app
- Ransomware payments hit a record $1.1 billion in 2023, despite declines in the previous year year
Follow Arin: Twitter/X, LinkedIn, Threads
