Cybersecurity · · 2 min read

Silent Threats in the System: Unmasking KeySteal, Atomic, and CherryPie in the macOS Landscape

Silent Threats in the System: Unmasking KeySteal, Atomic, and CherryPie in the macOS Landscape

Welcome back to The Final Hop, where we delve into the evolving landscape of cybersecurity threats. Today, we're focusing on a critical issue facing macOS users: the persistent and adaptable menace of macOS infostealers, specifically KeySteal, Atomic InfoStealer, and CherryPie. Despite Apple's rigorous updates to its XProtect signature database, these sophisticated malware strains continue to slip through the cracks, posing a serious challenge to enterprise security.

KeySteal: AI Bandwagon Jumper

KeySteal first emerged in 2021 and has undergone significant evolution. Originally distributed in .pkg format with an embedded macOS utility "ReSignTool," it has now shifted to multi-architecture Mach-O binaries with names like “UnixProject” and “ChatGPT”. This malware has adapted beyond Apple's XProtect detection and shows low detection scores on platforms like VirusTotal. It's known for stealing Keychain information and establishing persistence on infected systems. The latest versions have seen a shift in their primary methods, indicating a continuous evolution in their approach to evade detection.

Atomic InfoStealer: The Shapeshifter

First reported by SentinelOne last year, Atomic InfoStealer has shown a remarkable ability to adapt and evade detection. Existing in multiple variants concurrently, this malware indicates different development paths rather than a single evolving version. The most recent version, written in C++, includes mechanisms to prevent detection and analysis. This includes disabling the Terminal during its operation and checks for virtual machine environments. Distribution is suspected through torrents and social media platforms, with the malware often found in .dmg files with deceptive names.

CherryPie: Slippery Despite Detection

CherryPie, also known as Gary Stealer, was added to XProtect under v2176. Written in Go, it's a cross-platform stealer for Windows and macOS, containing extensive anti-analysis and VM detection logic. CherryPie has been seen using the legitimate open-source Wails project to wrap its malicious code. Notably, it attempts to disable Gatekeeper on macOS devices, allowing it to execute unhindered. Despite being caught by Apple, many static detection engines are still struggling to identify and block this malware effectively.

SentinelOne's Role in Detection

SentinelOne has highlighted that their customers are protected against these infostealers. With their platform, these threats are identified and neutralized, showcasing the effectiveness of modern EDR platforms against such sophisticated malware.

Conclusion and Final Thoughts

The continuous adaptation of these infostealers poses a significant challenge to macOS enterprise security. It's clear that relying solely on signature-based detection is becoming increasingly insufficient. A comprehensive, layered approach to security is essential. This includes proactive threat hunting, enhanced detection rules, and an understanding of evolving tactics. The insights provided by SentinelOne underscore the need for constant vigilance and innovation in cybersecurity strategies to protect against these persistent threats​​.

Remember, staying informed and proactive is key to safeguarding your digital environment. Join us again at The Final Hop for more insights into the ever-changing world of cybersecurity. Stay safe and stay ahead of the threats!

Read next