![]() First, we want to develop mitigations and blocks that are more effective than the legacy methods used by XProtect and second, we want to be able to analyse malware behavior and track campaigns in order to get ahead of threat actors. That deep dive is necessary for at least two reasons. It’s great to see Apple taking a lead, but Apple rarely shares threat intel, and if the threat is blocked by XProtect on Catalina, it prevents researchers from diving deeper into how the threat works. In recent months, Apple have not only been updating their internal security tools more frequently but also discovering some threats ahead of other researchers. Times have changed, however, and Apple have belatedly come to recognize that Macs are being targeted in the wild by a variety of different threat actors. ![]() On top of that, prior to Catalina, XProtect was always easy to bypass anyway. Not so long ago, researchers probably wouldn’t have cared much about malware known to XProtect, as XProtect was updated only infrequently and didn’t cover a lot of threats known to the macOS research community. ![]() Why You Might Want to Run Known Malware on Catalina In this post, we’ll look at the ways researchers can bypass this hardening and still run known malware on Catalina if they need to. This is great news for users, but potentially a problem for researchers who want to explore the finer details of how a sample known to XProtect actually behaves. For security researchers, this means it’s now no longer possible to run malware known to XProtect just by removing the quarantine bit with the xattr utility, as has always been the case on older versions of macOS. In macOS 10.15 Catalina, Apple have made a number of security improvements, including hardening the system by making all executable files subject to scanning by XProtect, regardless of whether the file is tagged with the bit or not.
0 Comments
Leave a Reply. |