In this series, we will discuss why organizations should care about malicious PowerShell activity, how attackers use PowerShell to steal credentials (e.g., Mimikatz), and how to prevent and detect malicious PowerShell activity. The last few years have seen system software move from being lightly protected by SIP to locked away in a sealed snapshot.įixing security vulnerabilities in macOS is important, but often overshadows its defences against malware, something we seldom talk about.Hello! My name is Rohit Chettiar, and I am a Solutions Engineer at Rapid7. #MACOS MALWARE RUNONLY AVOID DETECTION FOR SOFTWARE# What Apple hadn’t addressed until more recently were its tools for the detection of malware and the remediation of its ill-effects. I started tracking changes in those tools seven years ago, when the threat landscape was very different. At that time, XProtect was more concerned with blocking older and vulnerable versions of Flash and Java, then the basis for most popular exploits. Although XProtect did use signatures to detect some malware, remediation was the primary function of a separate tool, MRT.įor seven years Apple’s security engineers played cat and mouse with malware, frequently updating the data used by XProtect, and building new versions of MRT. Lately this sustained effort hasn’t been able to keep pace, and detection tools have struggled in the face of rapidly changing malicious code. There’s only so much you can do with a rule-based detection system as used by XProtect, so it was time to move on to something more capable. The first step towards that came on 14 March 2022, when Monterey 12.3 added what appeared to be a new app with a familiar name, XProtect.app. This is on the Data volume in the folder /Library/Apple/System/Library/CoreServices, and firmlinked to merge with the matching folder on the System volume at /System/Library/CoreServices. Like MRT.app, it isn’t an app at all, but a structured suite of executable tools kept in an app bundle. That first silent release didn’t do much, and passed unnoticed. In little more than a fortnight, Apple has just updated it from version 2 to 64, and has increased the number of those executable modules from eight to twelve. Yet the last update to MRT was over two months ago, on 29 April 2022.Įxecutable tools included in the current version give clues as to what this new security tool, XProtect Remediator, is capable of. WaterNet, an Apple internal name, added in version 64.Trovi, a cross-platform browser hijacker.ToyDrop, an Apple internal name, added in version 64.Pirrit, malicious adware explained in detail here.MRTv3, referring to Apple’s original malware remediator.GreenAcre, an Apple internal name, added in version 62.Genieo, a browser hijacker acting as adware, summarised here.Eicar, a harmless standard test for anti-malware products.DubRobber, a troubling and versatile Trojan dropper also known as XCSSET, added in version 62.Adload, an endemic Trojan known for downloading unwanted adware and PUPs, summarised here.In addition to XProtect itself, these are named for: #MACOS MALWARE RUNONLY AVOID DETECTION FOR UPDATE# Looking through the strings in some of these modules strongly suggests they were coded in Swift. With two exceptions all are between 1.7-1.9 MB in size XProtect is much smaller, and XProtectRemediatorMRTv3 at 4.4 MB is even larger than the current release of MRT, which is 3.3 MB. Given that one module deals with the simplicity of the Eicar test, and another the complexity of DubRobber/XCSSET, those suggest that much of their code is similar, and required for them to be self-contained. #MACOS MALWARE RUNONLY AVOID DETECTION FOR CODE# Launching and scanning by XProtect Remediator is controlled by property lists in /Library/Apple/System/Library for LaunchAgents/.ist, LaunchAgents/.plist, LaunchDaemons/.ist and LaunchDaemons/.plist, and fresh copies of those have been installed with the updates to version 62 and 64. There’s also an XPC plugin service in the XProtect.app bundle.Īlthough its initial release was confined to macOS 12.3, when version 62 was pushed on 16-17 June it was installed on all three currently supported versions of macOS, but not on Mojave or earlier.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |