What does the MRT 1.35 update remove? (Updated)

I have now had a chance to study the security update to Apple’s Malware Removal Tool, bringing it to version 1.35, which was pushed earlier this week.

Looking at the strings therein, this appears to add the ability to remove two new types of malware:

  • MACOS.e3278ad, which follows Apple’s recent bad habit of using internal coded designations for malware. I cannot find any suggested matches for the real-world name that this might represent, and it isn’t yet detected by XProtect.
  • MACOS.bdd69ef, which appears to be a bitcoin miner, judging by the fact that removal involves a component referred to as launchMiner.

I previously reported that 1.35 added support for two new types of malware, which were in fact already supported in previous versions. These are:

  • HackingTeamRCS A, which is a remote control spyware system produced by the Italian Hacking Team. Confusingly, this may be detected by XProtect under a different name.
  • Two of Apple’s existing in-house family of malware, designated ATG 15A and 15D. Again, no one knows what these may correspond with.

The previous version of MRT, 1.32, was pushed as a silent update on 23 April. Versions 1.33 and 1.34 don’t appear to have been generally released, making this the first public update in nearly two months.

The last update to XProtect’s configuration data, version 2099, was pushed on 13 March, making it likely that it will be updated in the coming few days.

I have updated my complete listing of malware which MRT and XProtect protects your Mac from.

Corrected and updated 1600 UTC 22 June following helpful information from Al Varnell.