Security Insight: Malware That Your Mac Can Identify and Eliminate

Welcome, 2025, as we bid farewell to 2024! It has been an exhilarating inaugural year for me in the Security Bite column on DMN. I’ve been fortunate enough to engage with numerous influential figures in the security realm and visit places I never imagined. In October, I took the column on an adventure—literally—traveling to Kyiv to collaborate with elite security engineers and attend the Objective-See’s Objective for the We v2.0 event. It was a remarkable experience that defies description—perhaps a tale for another time.

But I digress. In this concluding edition of Security Bite for the fiscal year 2024, I’ve revised a piece I began back in May of last year. Given that Apple is consistently refining its XProtect suite to counter evolving malware trends, this article will keep adapting.

Have you ever pondered what types of malware macOS can autonomously detect and eliminate without the assistance of third-party applications? Apple persistently enhances its Mac’s built-in XProtect suite by adding new malware detection rules. While most rule identifiers (signatures) are intentionally obscured, skilled security researchers can decrypt them to their commonly known industry names. Check out the information below to see what malware your Mac can eliminate!

The Security Bite segment is sponsored by Mosyle, an exclusive Apple Unified Platform. Our sole mission is to ensure Apple devices are enterprise-ready and safe to use. Our distinctive integrated approach merges cutting-edge Apple-specific security solutions for comprehensive Hardening & Compliance, Next-Generation EDR, AI-powered Zero Trust, and unique Privilege Management with the most robust and innovative Apple MDM available. This leads to an entirely automated Apple Unified Platform trusted by over 45,000 organizations, ensuring millions of Apple devices are operational at minimal cost and effort. Sign up for your EXTENDED TRIAL today to discover why Mosyle is your ultimate solution for Apple management.

About Security Bite: Security Bite is a weekly column on DMN focused on security. Each week, Arin Waichulis shares insights into data privacy, uncovers vulnerabilities, and highlights emerging threats within Apple’s expansive ecosystem of over 2 billion active devices. Stay secure, stay safe.

Understanding XProtect and Yara Rules

XProtect debuted in 2009 as part of macOS X 10.6 Snow Leopard, initially aimed at detecting and alerting users about malware in installation files. However, XProtect has progressed exponentially. The discontinuation of the long-standing Malware Removal Tool (MRT) in April 2022 led to the introduction of XProtectRemediator (XPR), a more advanced native anti-malware feature that identifies and resolves threats on the Mac.

The XProtect suite employs Yara signature-based detection for identifying malware. Yara is a widely recognized open-source tool that pinpoints files (including malware) based on specific traits and patterns within the code or metadata. One of the most advantageous attributes of Yara rules is that any entity can create and implement their own, and that includes Apple.

As of macOS 15 Sequoia, the XProtect suite comprises three primary components:

1. The XProtect app detects malware using Yara rules each time an application is initially launched, altered, or its signatures are updated.
2. XProtectRemediator (XPR) functions more proactively, allowing for malware detection and removal through regular scanning with Yara rules among other processes. These run discreetly in the background during low-activity periods, ensuring minimal CPU impact.
3. The latest macOS version features XProtectBehaviorService (XBS), which observes system behavior concerning critical resources.

Regrettably, Apple primarily employs generic internal naming conventions for XProtect, obscuring common malware names. Although this is done for valid reasons, it complicates efforts by curious individuals to pinpoint the exact malware XProtect can identify.

For instance, certain Yara rules have more straightforward names, such as XProtect_MACOS_PIRRIT_GEN, which identifies the Pirrit adware. However, in XProtect, most rules are assigned generic names like XProtect_MACOS_2fc5997 and internal signatures only known to Apple engineers, such as XProtect_snowdrift. This is where security researchers like Phil Stokes and Alden come into play.

Phil Stokes from Sentinel One Labs maintains a valuable GitHub repository that matches these obscured signatures utilized by Apple with more commonly recognized names employed by vendors and available in public malware scanners like VirusTotal. Additionally, Alden has recently made significant headway in understanding how XPR operates by extracting Yara rules from its scanning module binaries.

Locating XProtect on Your Mac

XProtect is automatically enabled in every macOS version and runs at the system level seamlessly in the background, eliminating the need for user intervention. Furthermore, updates to XProtect occur automatically. Here’s how to locate it:

1. Open Macintosh HD, then navigate to Library > Apple > System > Library > CoreServices
2. Right-click on XProtect to find its remediators.
3. Select Show Package Contents.
4. Expand Contents.
5. Open MacOS.

Note: Users should not solely rely on Apple’s XProtect suite, as it is designed primarily to detect known threats. More advanced or sophisticated attacks may easily bypass detection. I strongly recommend the deployment of third-party malware detection and removal applications.

Malware Capabilities

While the XProtect app itself is limited to detecting and blocking threats, the removal of malware is primarily conducted by the XPR’s scanning modules. Currently, we can identify 14 of the 24 remediators present in the latest XPR version (v147) that help keep malware at bay on your machine.

1. Adload: A loader for adware and bundleware targeting macOS users since 2017. Adload had previously avoided detection until last month when XProtect’s significant update introduced 74 new Yara detection rules specifically aimed at this malware.
2. BadGacha: Currently not identified.
3. BlueTop: “BlueTop appears to be the Trojan-Proxy campaign highlighted by Kaspersky in late 2023,” notes Alden.
4. CardboardCutout: Currently not identified.
5. ColdSnap: “ColdSnap likely targets the macOS variant of the SimpleTea malware. This was also linked to the 3CX breach and shares characteristics with both Linux and Windows versions.” SimpleTea (known as SimplexTea on Linux) is a Remote Access Trojan (RAT) believed to have originated from North Korea.
6. Crapyrator: Identified as macOS.Bkdr.Activator. This malware campaign, revealed in February 2024, has “infected macOS users on a large scale, potentially intended to create a macOS botnet or deliver other malware broadly,” states Phil Stokes from Sentinel One.
7. DubRobber: A versatile and concerning Trojan dropper, also recognized as XCSSET.
8. Eicar: A harmless file created specifically to trigger antivirus scanners without causing harm.
9. FloppyFlipper: Currently not identified.
10. Genieo: A well-documented potentially unwanted program (PUP) with its own Wikipedia page.
11. GreenAcre: Currently not identified.
12. KeySteal: An infostealer for macOS initially identified in 2021 and added to XProtect in February 2023.
13. MRTv3: A compilation of malware detection and removal components carried over into XProtect from its predecessor, the Malware Removal Tool (MRT).
14. Pirrit: This adware surfaced in 2016 and is notorious for injecting pop-up advertisements into websites, collecting private user data, and manipulating search results to direct users to malicious sites.
15. RankStank: “This signature is one of the more recognizable, as it specifies the paths to malicious executables associated with the 3CX incident,” notes Alden. The 3CX incident was a supply chain attack attributed to the Lazarus Group.
16. RedPine: Alden, with lower confidence, suggests that RedPine may be in response to TriangleDB from Operation Triangulation.
17. RoachFlight: Currently not identified.
18. SheepSwap: Currently not identified.
19. ShowBeagle: Currently not identified.
20. SnowDrift: Identified as CloudMensis macOS spyware.
21. ToyDrop: Currently not identified.
22. Trovi: Similar to Pirrit, Trovi is another cross-platform browser hijacker known for redirecting search queries, tracking browsing behavior, and injecting its ads.
23. WaterNet: Currently not identified.

Thank you all for your readership! I look forward to continuing my focused coverage on security here at DMN throughout 2025! Cheers.

Further Insights on Apple Security

Follow Arin: Twitter/X, LinkedIn, Threads