Security Insight: Malware That Your Mac Can Identify and Eliminate

Welcome to 2025 and farewell to 2024! Hosting the Security Bite column on DMN has been an exhilarating journey. I’ve had the chance to engage with several leaders in the security field and even visited places I never imagined I’d go. In October, I took this column on the road—through the air and on the rails—to Kyiv, where I met with top-tier security engineers and attended the Objective-See’s Objective for the We v2.0 event. It was an experience that’s still hard to describe—perhaps a tale for another time.

Now, let’s get back to business. In this concluding issue of Security Bite for fiscal 2024, I’ve refreshed an article I began in May of last year. With Apple consistently enhancing its XProtect suite to tackle emerging malware trends, this piece will remain dynamic and progressively updated.

Curious about what macOS can identify and eliminate without third-party help? Apple is continuously introducing new detection rules to the built-in XProtect suite. Although most rule names (or signatures) are obscured, security researchers can reverse-engineer them to connect them with their more recognized industry titles. Below, discover the malware your Mac can expel!

DMN Security Bite is proudly presented by Mosyle, the only comprehensive Apple Unified Platform. Our mission is to make Apple devices both ready for the workplace and safe for enterprises. We offer a uniquely integrated approach to management and security, featuring state-of-the-art Apple-specific solutions for automated Hardening & Compliance, Next Generation EDR, AI-driven Zero Trust, and exclusive Privilege Management—all incorporated with the most powerful and advanced Apple MDM available. This results in a fully automated Apple Unified Platform that over 45,000 organizations trust to prepare millions of Apple devices effortlessly and affordably. Request your EXTENDED TRIAL today and discover why Mosyle is the ultimate choice for working with Apple.

About Security Bite: Security Bite is a weekly column focused on security within DMN. Each week, Arin Waichulis provides insights into data privacy, uncovers vulnerabilities, and highlights emerging threats in Apple’s expansive ecosystem of over 2 billion active devices. Stay secure, stay safe.

Understanding XProtect and Yara Rules

XProtect made its debut in 2009 with macOS X 10.6 Snow Leopard, initially functioning to alert users about malware present in installation files. However, its capabilities have significantly evolved. The discontinuation of the longstanding Malware Removal Tool (MRT) in April 2022 led to the introduction of XProtectRemediator (XPR), an advanced native anti-malware component designed to detect and eliminate threats on Macs.

The XProtect suite employs Yara signature-based detection to recognize malware. Yara is a versatile open-source tool used to identify files, including malware, through specific characteristics and patterns in the code or metadata. The advantage of Yara rules is that they can be developed and employed by any organization or individual, including Apple.

As of macOS 15 Sequoia, the XProtect suite encompasses three primary components:

1. The XProtect app detects malware using Yara rules whenever an app is launched, altered, or updated.
2. XProtectRemediator (XPR) takes a more proactive stance, identifying and removing malware through regular Yara rule scans while the system is less active, thus minimizing CPU impact.
3. The current macOS version includes XProtectBehaviorService (XBS), which monitors system actions concerning critical resources.

Regrettably, Apple predominantly utilizes generic internal naming conventions in XProtect that obscure the common malware designations. While this is for valid reasons, it complicates the effort for those curious about precisely what malware XProtect can detect.

For instance, some Yara rules have more distinct names, such as XProtect_MACOS_PIRRIT_GEN, a signature for identifying Pirrit adware. However, most rules in XProtect are generically labeled (e.g., XProtect_MACOS_2fc5997) or have internal signatures only known to Apple engineers (e.g., XProtect_snowdrift). This is where security researchers like Phil Stokes and Alden play a crucial role.

Phil Stokes from Sentinel One Labs maintains a valuable repository on GitHub that decodes these obfuscated signatures into conventional names commonly used by vendors, which can also be found in public malware scanners like VirusTotal. Additionally, Alden has recently made significant strides in decoding how XPR operates by extracting Yara rules from its scanning module binaries.

Locating XProtect on Your Mac

XProtect is automatically enabled in every version of macOS and runs at the system level entirely in the background, requiring no user intervention. Updates are applied automatically. Here’s how to locate it:

1. In Macintosh HD, navigate to Library > Apple > System > Library > CoreServices
2. Right-click on XProtect to see its remediators
3. Select Show Package Contents
4. Open Contents
5. Go into MacOS

Note: Users should not rely solely on Apple’s XProtect suite, as it is designed to identify known threats. More complex or sophisticated attacks might bypass detection. It is highly advisable to employ third-party malware detection and removal tools.

What Malware Can It Eliminate?

While the XProtect app is primarily designed to detect and mitigate threats, the responsibility for actual removal lies with XPR’s scanning modules. Currently, we recognize 14 out of 24 remediators in the latest XPR version (v147) that help keep malware at bay on your device.

1. Adload: An adware loader targeting macOS users since 2017, Adload successfully evaded detection until the recent update to XProtect that introduced 74 new Yara detection rules specifically for this malware.
2. BadGacha: Not yet identified.
3. BlueTop: “BlueTop appears to be the Trojan-Proxy campaign reported by Kaspersky in late 2023,” according to Alden.
4. CardboardCutout: Not yet identified.
5. ColdSnap: “ColdSnap is likely identifying the macOS variant of SimpleTea malware. This has also been linked to the 3CX breach and shares characteristics with both Linux and Windows versions.” SimpleTea (SimplexTea on Linux) is a Remote Access Trojan (RAT) originating from the DPRK.
6. Crapyrator: Identified as macOS.Bkdr.Activator, this malware campaign was revealed in February 2024 and is thought to massively infect macOS users, possibly to create a botnet or spread other malware,” states Phil Stokes from Sentinel One.
7. DubRobber: A versatile Trojan dropper known as XCSSET.
8. Eicar: A benign file intentionally designed to activate antivirus scanners without causing harm.
9. FloppyFlipper: Not yet identified.
10. Genieo: A commonly documented potentially unwanted program (PUP), Genieo is well-known enough to have its own Wikipedia page.
11. GreenAcre: Not yet identified.
12. KeySteal: An infostealer for macOS first identified in 2021, added to XProtect in February 2023.
13. MRTv3: A collection of malware detection and removal components carried over into XProtect from the previous Malware Removal Tool (MRT).
14. Pirrit: A macOS adware that emerged in 2016, Pirrit is notorious for injecting pop-up advertisements into websites, spying on user browser data, and manipulating search results to direct users to harmful pages.
15. RankStank: “This rule is quite informative, as it includes the paths to malicious executables discovered in the 3CX incident,” notes Alden. The 3CX was a supply chain attack attributed to the Lazarus Group.
16. RedPine: Alden suggests with lower confidence that RedPine is likely a response to TriangleDB from Operation Triangulation.
17. RoachFlight: Not yet identified.
18. SheepSwap: Not yet identified.
19. ShowBeagle: Not yet identified.
20. SnowDrift: Identified as CloudMensis macOS spyware.
21. ToyDrop: Not yet identified.
22. Trovi: Similar to Pirrit, Trovi is another cross-platform browser hijacker known for redirecting search results, monitoring browsing history, and injecting its own advertisements into searches.
23. WaterNet: Not yet identified.

Thank you for joining me on this journey! I’m eager to continue my specialized security coverage here on DMN throughout 2025! Cheers!

Additional Resources on Apple Security

Follow Arin: Twitter/X, LinkedIn, Threads