Following the release of new betas last week, Apple snuck out one of the most significant updates to XProtect I’ve ever seen. The macOS malware detection tool added 74 new Yara detection rules, all aimed at a single threat, Adload. So what is it exactly, and why does Apple see it as such an issue?
9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
XProtect, Yara rules, huh?
XProtect was introduced in 2009 as part of macOS X 10.6 Snow Leopard. Initially, it was released to detect and alert users if malware was discovered in an installing file. However, XProtect has recently evolved significantly. The retirement of the long-standing Malware Removal Tool (MRT) in April 2022 prompted the emergence of XProtectRemediator (XPR), a more capable native anti-malware component responsible for the detection and remediation of threats on Mac.
As of macOS 14 Sonoma, XProtect consists of three main components:
- The XProtect app itself, which can detect malware using Yara rules whenever an app first launches, changes, or updates its signatures.
- XProtectRemediator is more proactive and can both detect and remove malware with regular Yara scans. These occur in the background during periods of low activity and have minimal impact on the CPU.
- XProtectBehaviorService (XBS) was added with the latest version of macOS and monitors system behavior in relation to critical resources.
The XProtect suite utilizes Yara signature-based detection to identify malware. Yara itself is a widely adopted open-source tool that identifies files (including malware) based on specific characteristics and patterns in the code or metadata. What’s so great about Yara rules is any organization or individual can create and utilize their own, including Apple.
The company mainly uses generic or internal naming schemes in XProtect that obfuscate the real malware names. This makes identifying them a bit tricky. Thanks, Apple (sigh). Some rules are given meaningful names, such as XProtect_MACOS_PIRRIT_GEN, a signature for detecting the Pirrit adware. However, there are also more generic rules like XProtect_MACOS_2fc5997 or internal ones like XProtect_snowdrift.
Phil Stokes with Sentinal One Labs manages a handy repo on GitHub that maps these obfuscated malware family names to common industry names. I highly recommend giving it a look.
Adload Wars: Apple Strikes Back
With XProtect v2192, it appears Apple can now detect all of Adload’s codebase and every existing strain of the once widespread adware and bundleware loader targeting macOS users since 2017. For anyone keeping up with this saga, this was long overdue.
Once Adload infiltrates a Mac (i.e., fooling a user with legitimate software), it hijacks search engine results, injecting its own ads and recommending users visit sites that may pay the threat actors a fee. This is in addition to any private information it may collect.
Moreover, the malware family has recently been able to evade detection by both Gatekeeper and XProtect, found to be “signed” with an Apple developer certificate, as well as “notarized,” and up until last week, many strains didn’t match the malware profiles in XProtect’s database. This has undoubtedly been a real headache for Apple’s security teams, which I can imagine uploaded the 74 new rules with great jubilation.
More than anything, this is a huge win for everyday Mac users who operate without any third-party malware detection and removal software.
By default, XProtect updates itself automatically. Updating to the latest version of macOS Sonoma is not needed, but it is still highly recommended!
More in this series
Follow Arin: Twitter/X, LinkedIn, Threads
FTC: We use income earning auto affiliate links. More.
