Bringing the XProtect version to 2143, the new version of XProtect includes expanded detections to the rule: MACOS_1db9cfa.
According to our research, this new rule detects on two additional hashes which are variants of XCSSet — a piece of malware that subverts itself within Xcode projects. Apple released the initial version of the rule in version 2142 on March 18, 2021. At that time, only hashes for the malware were released, as opposed to the Yara rules they typically include.
Apple’s Malware Removal Tool (MRT) remains on version 1.76, even though XProtect and MRT are frequently updated together.
By default, Apple obfuscates the names of their protection rules to hinder analysis by threat actors to minimize disclosures that might otherwise weaken the built-in protections.
Jamf Protect is purpose built to work with Apple’s native tools, while also capable of detecting a wider range of known malware. Additionally, it provides frequent alerts – including identifying potential new threats before a new update to XProtect or MRT may be available.