Today, Apple pushed new updates to both XProtect and the Malware Removal Tool (MRT) - bringing the former to version number 2145; and the latter to version 1.78. Both updates are dated April 29, 2021.
Notable changes include new signatures for rule MACOS_2b50ea5, focusing on preventing variants of the Adload malware. Apple also pushed updates to rules MACOS_1db9cfa and MACOS_6eaea4b to make the preexisting rules more comprehensive. This expands Apple’s prevention of the XCSSET malware which has been experiencing a rapid growth rate since XProtect version 2140. The updating of these two rules prevents approximately fifty (50) additional hashes of XCSSET malware.
In the last two updates to XProtect, Apple has placed much of the focus on rules to prevent XCSSET: commonly viewed as one of the most prominent malware families seen in the wild today. During the version 2144 update, Apple provided additional naming to further identify previously updated signatures, such as MACOS.2070d41(DUBROBBER.A), MACOS.9e2bab9 (DUBROBBER.B), MACOS.889c9e6 (DUBROBBER.C) and MACOS.1db9cfa (DUBROBBER.D).
In contrast, Apple has removed the naming of the DUBROBBER samples in this update, once again obfuscating them to the end-user. No additional data about the update to MRT is available at this time.
For security reasons, Apple intentionally obfuscates the names of their protection rules to hinder analysis by threat actors. This is done in an effort to minimize disclosures that could otherwise weaken the protections built-in to macOS.
Jamf Protect is purpose-built to work with Apple’s native security tools, while also adding the capability of detecting and mitigating a wider range of known malware. Additionally, it provides alerting and reporting capabilities – including the identification of potential new threats — before new updates to XProtect and/or MRT may be available.