hoakley March 9, 2024 Macs, Technology

What malware can macOS remove?

Until two years ago, Apple’s Malware Removal Tool, MRT, was all that macOS had to deal with any malicious software that got onto your Mac. While Gatekeeper and its XProtect signatures can detect known malware when it tries to run, it was left to MRT to seek it out and remove it when possible. This changed in the summer of 2022, when Apple brought its new XProtect Remediator (XPR) up to full speed as the successor to MRT. This article updates information about which malware it scans for, and tries to remediate.

Alden has recently brought substantial advances in the understanding of how XPR’s scanning modules work, by uncovering some of their internal Yara-based detection signatures. These confirm the suspicion that XPR uses Yara definitions for at least some of its detection, although in these cases it embeds them in its scanning modules, rather than using those supplied in XProtect’s data. Combining Alden’s results with existing knowledge, we can now account for 14 of the 23 scanning modules in the current version of XPR.

Adload is an old adware and bundleware loader dating back to 2016 that has a track record of rapid change, enabling it to evade static detection. It normally achieves persistence through a bogus service installed in ~/Library/LaunchAgents/, and Phil Stokes gives fuller details here.

BadGacha remains unidentified, but frequently reports false positives for helper apps in non-malicious apps.

BlueTop is a bogus WindowServer app that was part of a Trojan-Proxy campaign investigated by Kaspersky in late 2023.

CardboardCutout remains unidentified.

ColdSnap is known better as SimpleTea, a cross-platform component that was part of the 3CX supply-chain attack.

Crapyrator has been identified as BkDr.Activator, found in many torrents of cracked apps such as MarsEdit, DaisyDisk, and SpamSieve. It uses sophisticated methods, characteristically installing Activator.app in the main Applications folder, prompts for a password and uses that to disable Gatekeeper checks, then kills Notification Centre to cover its tracks. Further details are given here.

DubRobber is known more generally as XCSSET, a versatile and troubling Trojan dropper that changes frequently to escape detection.

Eicar isn’t malware at all, but a standard non-malicious test of detection methods.

FloppyFlipper remains unidentified.

Genieo, also known as MaxOfferDeal, is another old hand that changes frequently to escape detection. This is so well-known that it qualifies for its own page in Wikipedia.

GreenAcre remains unidentified.

KeySteal, as its name suggests, exfiltrates the contents of keychains. Although it first appeared at least three years ago, it seems to have reappeared in autumn/fall 2022, and has been described in full detail by Luis Magisa and Qi Sun of Trend Micro. It has been found as a malicious version of the ResignTool app, used to change code signatures. It can come correctly signed, and has been delivered in a signed Installer package.

MRTv3 is a collection of malware detection and remediation items inherited from Apple’s old Malware Removal Tool, MRT.

Pirrit has also been known in many different variants and forms since it first appeared in 2016. For a long time it posed as a Flash Player installer, although it has moved on since then. It has been overviewed recently by Paloalto Networks.

RankStank is another malicious app at the centre of the 3CX supply chain attack, where it’s found in the 3CX Desktop App, and has been attributed to the Lazarus Group.

RedPine is believed to cover TriangleDB malware, sophisticated spyware that has been targeted primarily at iOS devices using malicious Messages.

RoachFlight remains unidentified.

SheepSwap remains unidentified.

SnowBeagle remains unidentified.

SnowDrift is CloudMensis spyware, another sophisticated malicious app that may masquerade as WindowServer.

ToyDrop remains unidentified.

Trovi is a cross-platform browser hijacker that can affect Safari and others.

WaterNet remains unidentified.

I hope this makes more sense from what you see in XProtect Remediator, and thank Alden, Phil Stokes and others who been decoding Apple’s bizarre names.

9Comments

Add yours

1

Enzo Vincenzo on March 9, 2024 at 9:02 am
Reply

Thank you Howard!!!

A very clear exposition that will now allow me to personally and carefully examine my Macs, based on what you have listed, based on what I have read on the other sites you have put links to and other sites I have come to from these.

You are always very helpful.

Have a good weekend and a good Sunday! 🙂

LikeLiked by 2 people
- 2
  
  hoakley on March 9, 2024 at 10:36 am
  Reply
  
  Thank you, Enzo. Have a great weekend too!
  Howard.
  
  LikeLiked by 1 person
3

JASON on March 9, 2024 at 3:40 pm
Reply

Terrific article and great link (The Secrets of XProtectRemediator). Thank you. As usual, you’ve done a a wonderful job of providing insight into macOS Security as well as cutting through the jargon & obfuscation.

Also, after reading this post I downloaded and ran XProCheck – a very interesting, lightweight, and cool tool that truly provides a neat peek under the hood of macOS. Really great stuff! 🙂

I checked back 5 days and before March 7th, I see this message for 2 modules: “BadPluginServiceSignature status_code 31 (normal if XPR has recently been updated)” and NoThreatDetected for those 2 modules after & including March 7th. If possible could you please explain the initial “BadPluginServiceSignature” message?

XPR was in fact recently updated. I triggered the update manually from the command line after I received your always appreciated “Apple has just released updates to XProtect and XProtect Remediator” email => Install Date: 3/5/24, 2:34 PM (EST) XProtectPayloads (128) & XProtectPlistConfigData (2188). Basically, I’m wondering where the “normal if XPR has recently been updated” message comes from & also how the “BadPluginServiceSignature” is resolved so that in subsequent runs the error doesn’t occur? Thanks again for this article, your awesome apps, and for everything that you do for the Mac community.

LikeLiked by 2 people
- 4
  
  hoakley on March 9, 2024 at 4:34 pm
  Reply
  
  Thank you.
  The story behind those bad signature messages is quite interesting.
  XPR runs in the background, as a service, that macOS wakes up every 24 hours or so, to run its routine scans. As it runs those twice, once as the user and once as root, there are two of the services running at any time. When they’re woken up to run scans, they communicate with them using secure XPC connections, which rely on signature checks to validate those connections.
  When XPR is updated, the existing two services are still running, although their code is replaced by the update. So when they next awake to run scans, the scanning modules are now new, and their new signatures don’t match the old services. So each of the two services is crashed because of that error, following which the new services are loaded and run. Because they have the new signatures, when they go to run the scanning modules, the signatures match, and the two sets of scans complete fine.
  So you see the two log entries reporting the bad signatures the next time scans are due to be run after an update. That’s why XPR reassures you that is normal, and the next sets of scans report normally again.
  I hope that explains it.
  Howard.
  
  LikeLiked by 2 people
5

Doug on March 9, 2024 at 4:06 pm
Reply

Thank you for an informative article.

Is there now any need to have other anti-virus software installed on a current Mac?

LikeLiked by 2 people
- 6
  
  hoakley on March 9, 2024 at 4:39 pm
  Reply
  
  That’s a very good question, and it all depends on your assessment of risk.
  I don’t run any other anti-malware software, although I do use security tools from Objective-See, which I strongly recommend (they’re also free). But that’s because I don’t do high-risk activities like download ‘warez’ cracked software, or trade in crypto, or visit other suspect websites. I also hope my awareness and suspicion are high, and my detection of phishing emails pretty good. So I consider myself to be at low risk, maybe wrongly!
  I also have the (fairly easy) option of running anything suspicious in a virtual machine, so I can check it out before installing it on any of my Macs.
  If you do run significant risks, then I think there are some excellent third-party products available. But they all carry their own disadvantages that you must also weigh up before using them.
  Howard.
  
  LikeLiked by 2 people
  - 7
    
    Enzo Vincenzo on March 10, 2024 at 7:38 am
    Reply
    
    Thanks, Howard, for the information about “Objective-See” which I did not know! 🙂 They seem like very serious people, like you. I saw on their site that they propose to become friends by sharing their respective links and it seems to me that perhaps it would be nice if you sponsored them and they, vice versa, did the same for you and your wonderful utilities. Together you represent a sort of Help Community 🙂 . But I guess you have already visited the page where the “Objective-See” team proposes this, “putting their face on it” even with a photograph of their own.
    
    LikeLiked by 1 person
    - 8
      
      hoakley on March 10, 2024 at 5:46 pm
      
      Thank you. I did offer to donate the entire income of this blog to Objective-See, but Patrick thought that was a bit over-generous 🙂
      If you look back, you’ll see that I have been actively encouraging the use of their tools here since Patrick first started to develop them.
      Howard.
      
      LikeLiked by 1 person
9

Enzo Vincenzo on March 10, 2024 at 5:52 pm
Reply

You are great, Howard! You made my day. 🙂

LikeLiked by 1 person

Share this:

Related