The Many Faces of Undetected macOS InfoStealers | KeySteal, Atomic & CherryPie Continue to Adapt

macOS infostealers KeySteal, Atomic InfoStealer, and CherryPie continue to evolve, evading static signatures and expanding distribution methods. The article details how each family persists, hides its actions, and yields actionable indicators for threat hunters and defenders. Hashtags: #KeySteal #AtomicInfoStealer #CherryPie #GaryStealer #ChatGPT #XProtect #Gatekeeper

Keypoints

macOS infostealers continue to adapt and evade detection, with multiple families remaining undetected by static engines.
KeySteal uses macOS persistence via Launch Daemons/Launch Agents locations such as /Library/LaunchDaemons/com.apple.googlechrome.plist and ~/Library/LaunchAgents/com.apple.googleserver.plist.
KeySteal samples have evolved to multi-architecture Mach-O binaries with names like UnixProject and ChatGPT, with some versions undetected by XProtect or scoring low on VirusTotal.
Atomic InfoStealer shows variants in C++ that prevent Terminal or VM analysis and uses clear AppleScript for stealing logic; earlier versions included an obfuscated Go variant.
CherryPie (Gary Stealer) is a cross-platform Go stealer with anti-analysis and VM checks, uses hardcoded strings, can wrap via the Wails project, and can disable Gatekeeper with ad hoc signing.

Distribution methods include DMG-based installers named CrackInstaller and Cozy World Launcher, often via torrents or gaming-focused channels.

SentinelOne notes protection for KeySteal, Atomic InfoStealer, and CherryPie, with detection modes like Detect-Only and Protect to block malicious behaviors.

MITRE Techniques

[T1543] Create or Modify System Process – The malware persists by dropping components in Launch Daemons/Launch Agents: ‘persistence components in the following locations: /Library/LaunchDaemons/com.apple.googlechrome.plist ~/Library/LaunchAgents/com.apple.googleserver.plist’.
[T1036] Masquerading – The authors use misleading names such as UnixProject and ChatGPT for binaries.
[T1116] Code Signing – Samples are signed with an ad hoc code signature, suggesting the binary was built in Xcode: ‘samples are signed with an ad hoc code signature with artifacts suggesting the binary was built in Xcode, Apple’s development IDE.’
[T1027] Obfuscated/Compressed Files – Prior obfuscated Go version of Atomic Stealer noted: ‘an obfuscated Go version of Atomic Stealer which appeared shortly after Apple’s XProtect update v2178 (Jan 2024).’
[T1497] Virtualization/Sandbox Evasion – The malware checks to see if it is being run inside a Virtual Machine: ‘it checks to see if the malware is being run inside a Virtual Machine.’
[T1059.005] Command and Scripting Interpreter: AppleScript – Current Atomic variants embed clear AppleScript for stealing logic: ‘hard-coded AppleScript in clear text, clearly indicating the malware’s stealing logic.’
[T1071] Web Protocols – C2 communication uses a hard-coded domain/address: ‘The hard-coded C2, and threat hunters and static detections will still have some luck pivoting off that.’

Indicators of Compromise

95d775b68f841f82521d516b67ccd4541b221d17
f75a06398811bfbcb46bad8ab8600f98df4b38d4
usa[.]4jrb7xn8rxsn8o4lghk7lx6vnvnvazva[.]com

Atomic InfoStealer

1b90ea41611cf41dbfb2b2912958ccca13421364
2387336aab3dd21597ad343f7a1dd5aab237f3ae
8119336341be98fd340644e039de1b8e39211254
973cab796a4ebcfb0f6e884025f6e57c1c98b901
b30b01d5743b1b9d96b84ef322469c487c6011c5
df3dec7cddca02e626ab20228f267ff6caf138ae

CherryPie

04cbfa61f2cb8daffd0b2fa58fd980b868f0f951
09de6c864737a9999c0e39c1391be81420158877
6a5b603119bf0679c7ce1007acf7815ff2267c9e
72dfb718d90e8316135912023ab933faf522e78a
85dd9a80feab6f47ebe08cb3725dea7e3727e58f