Overnight, Apple has pushed new updates to both XProtect and Malware Removal Tool, bringing the former to version number 2144; and the latter to version 1.77. Both updates are dated April 15, 2021.
Notable changes include new signatures for rules MACOS_ef3df25, MACOS_11eaac1 and MACOS_0e32a32 focused on preventing variants of Shlayer malware, and rule MACOS_6eaea4b - which prevents variants of XCSSET malware - has been named DUBROBBER.E by Apple. Additional coverage for XCSSET malware includes an update to rule MACOS_1db9cfa. Also included are expanded detections for rules MACOS_2afe6bd (Adload variant called Macnist) and MACOS_4d60c89 (Shlayer variant called WizardUpdate). These updates further Apple’s commitment to the security of its ecosystem by providing additional, out-of-the-box protection against Shlayer and XCSSET - two of the most prominent malware families seen in the wild today.
Apple took the opportunity to clean up the formatting of their XProtect rules file, allowing for better readability, while providing additional naming to further identify previously updated signatures, such as MACOS.2070d41(DUBROBBER.A), MACOS.9e2bab9 (DUBROBBER.B), MACOS.889c9e6 (DUBROBBER.C) and MACOS.1db9cfa(DUBROBBER.D).
No additional data about the update to MRT is available at this time.
For security reasons, Apple intentionally obfuscates the names of their protection rules to hinder analysis by threat actors. This is done in an effort to minimize disclosures that could otherwise weaken the built-in protections.
Jamf Protect is purpose-built to work with Apple’s native security tools, while also adding the capability of detecting and mitigating a wider range of known malware. Additionally, it provides alerting and reporting capabilities – including the identification of potential new threats — before new updates to XProtect and/or MRT may be available.