Security Bite: Malware your Mac can detect and remove

Hello 2025…see you in 2024! It’s been an exciting first year hosting safe bite listed in 9 to 5. I have had the privilege of speaking with many leaders in the security industry and traveling to places I never thought I would find. In October I was featured in Road – Sky & Track – traveling to Kiev to meet and attend world-class safety engineers objective observationGoals of the We v2.0 campaign. This is an experience that I still cannot put into words─maybe I will talk about it another time.

I digress. In this final version safe bite For fiscal year 2024, I’m updating a story I started writing last May. This segment will continue to evolve as Apple continues to update its XProtect suite to combat the latest malware trends.

Ever wonder what malware macOS can detect and remove without the help of third-party software? Apple continues to add new malware detection rules to the built-in XProtect suite of Macs. While most of the rule names (signatures) are obfuscated, with some reverse engineering security researchers can map them to common industry names. See below to learn what malware can be removed from your Mac!

9to5Mac Security Bite is brought to you exclusively by Mosyle, the only Apple unified platform. What we do is get Apple devices ready to work and keep your business secure. Our unique integrated approach to management and security combines the most advanced Apple-specific security solutions with the most powerful, modern Apple MDM to enable fully automated hardening and compliance, next-generation EDR, AI-driven Zero Trust, and Exclusive rights management in the market. The result is a fully automated Apple unified platform, now trusted by more than 45,000 organizations, to put millions of Apple devices into use effortlessly and at an affordable cost. Request a trial extension Learn why Mosyle is everything you need to work with Apple today.

about safe bite: Security Bite is a weekly security-focused column on 9to5Mac. every week, Arin Waichulis Provides insights into data privacy, discovers vulnerabilities, and reveals emerging threats across Apple’s massive ecosystem of more than 2 billion active devicess. stay safestay safe.

XProtect, Yara rules, right?

XProtect was launched in 2009 as part of macOS X 10.6 Snow Leopard. Initially, it was released to detect and alert users when malware is found in installation files. However, XProtect has evolved significantly recently. The long-standing Malware Removal Tool (MRT) was retired in April 2022, prompting the emergence of XProtectRemediator (XPR), a more powerful native anti-malware component responsible for detecting and remediating threats on Mac.

The XProtect suite uses Yara signature-based detection to identify malware. children It itself is a widely adopted open source tool that can identify files, including malware, based on specific characteristics and patterns in their code or metadata. The beauty of Yara rules is that any organization or individual can create and use their own rules, including Apple.

As of macOS 15 SequoiaThe XProtect suite consists of three main components:

1. this XProtect App Yara rules can be used to detect malware whenever an application is launched for the first time, changes or updates its signature.
2. XProtectRemediator (XPR) More proactively, you can detect and remove malware and more by running regular scans using Yara rules. These occur in the background during periods of low activity with minimal impact on the CPU.
3. The latest version of macOS includes XProtectBehaviorService (XBS), monitor system behavior related to critical resources.

Unfortunately, Apple mostly uses a common internal naming scheme in XProtect, confusing common malware names. While there are good reasons for this, it becomes difficult for those who are curious to know exactly what malware XProtect can identify.

For example, some Yara rules are given more obvious names, such as XProtect_MACOS_PIRRIT_GEN, which detects the Pirrit adware signature. In XProtect, however, you’ll find largely more general rules, such as XProtect_MACOS_2fc5997, as well as internal signatures known only to Apple engineers, such as XProtect_snowdrift. This is what security researchers like Phil Stokes and Alden Come in.

Phil Stokes and Sentinel One Labs manage a convenient Repository on GitHub It maps these obscure signatures used by Apple to more common names used by vendors and found in public malware scanners like VirusTotal. In addition, Auden recently proposed significant progress Learn how XPR works by extracting Yara rules from the scanning module binary file.

How to find XProtect on Mac?

XProtect is enabled by default in every version of macOS. It also runs at the system level, completely in the background, so no intervention is required. XProtect updates are also performed automatically. This is its location:

1. exist Macintosh HD, go Library > Apple > System > Library > CoreServices
2. From here, you can find the fix by right-clicking XP protection
3. Then click Show package contents
4. expansion content
5. Open Apple system

Note: Users should not rely entirely on Apple’s XProtect suite, as it is designed to detect known threats. More advanced or sophisticated attacks can easily bypass detection. I highly recommend using third-party malware detection and removal tools.

What malware can it remove?

While the XProtect application itself can only detect and block threats, it depends on XPR’s scanning module for removal. Currently, we can identify 14 of the 24 fixes in the current version of XPR (v147) to prevent malware from intruding on your computer.

1. Advertisement loading: Adware and bundler loader targeting macOS users since 2017. Major updates to XProtect 74 new Yara detection rules have been added, all targeting this malware.
2. Bad Gacha: Not sure yet.
3. Blue top: “BlueTop appears to be a Trojan proxy campaign covered by Kaspersky in late 2023” Alden says.
4. Cardboard cutouts: Not determined yet.
5. Cold buckle: “ColdSnap may be looking for the macOS version of the SimpleTea malware. This is also related to the 3CX vulnerability and has the same characteristics as the Linux and Windows variants. SimpleTea (SimpleTea on Linux) is a remote access Trojan (RAT). Believed to have originated from North Korea.
6. Pirates: Crapyrator has been identified as macOS.Bkdr.Activator. Sentinel One’s Phil Stokes said that this was a malware campaign discovered in February 2024, “which infected macOS users on a large scale, possibly to create a macOS botnet or spread other malware on a large scale.”
7. Dubbed Bandit: A disturbing and versatile Trojan horse implanter also known as XCSSET.
8. Eka: one harmless files This is by design and is intended to trigger antivirus scanners without causing damage.
9. floppy flippers: Not sure yet.
10. genius: A very common potentially unwanted program (PUP). So much so that it even has its own Wikipedia page.
11. Greenfield: Not determined yet.
12. Stealing keys: KeySteal is a macOS information stealer that was first discovered in 2021 and added to XProtect in February 2023.
13. MRTv3: This is a collection of malware detection and removal components inherited from its predecessor, the Malware Removal Tool (MRT).
14. Pyrite: Pirrit is a macOS adware that first appeared in 2016.
15. Lancs tank: “This rule is one of the most obvious because it includes the path to the malicious executable found in the 3CX incident,” Alden said. 3CX is a supply chain attack launched by the Lazarus Group.
16. Korean pine: Alden was less confident, saying RedPine was likely the answer to TriangleDB in Operation Triangulation.
17. Cockroach flying: Not sure yet.
18. sheep exchange: Not sure yet.
19. Show beagle: Not determined yet.
20. Snow stream: identified as cloudmensis macOS spyware.
21. Toys dropped: Not determined yet.
22. turn up:Similar to Pirit, turn up is another cross-platform browser hijacker. It has been known to redirect search results, track browsing history, and inject its own ads into searches.
23. Water network: Not determined yet.

Thank you everyone for reading! I’m excited to continue reporting on safety issues 9 to 5 By 2025! cheers.

More information about Apple security

Fforget: Twitter/X, LinkedIn, Number of execution threads