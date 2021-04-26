



Apple has spent years enhancing macOS with new security features to make malware more difficult to invade, but a newly discovered vulnerability double-clicks on a malicious app. It just broke through most of the new security protections for macOS. Allowed under Apple supervision.

To make matters worse, there is evidence that a notorious family of Mac malware has been exploiting this vulnerability for several months before it was patched by Apple this week.

Over the years, Macs have adapted to catch the most common types of malware by interfering with technical obstacles. macOS flags potentially malicious apps disguised as documents downloaded from the Internet. Also, if macOS doesn’t see what Apple calls notarized in the app, or doesn’t recognize the developer, you won’t be able to run the app without user intervention.

However, security researcher Cedric Owens said a bug found in mid-March bypasses these checks and allows malicious apps to run.

Owens told TechCrunch that the bug allowed potentially malicious apps to look like harmless documents, bypassing macOS’s built-in defenses when opened.

“Users only need to double-click and they don’t generate macOS prompts or warnings,” he told TechCrunch. Owens has created a proof-of-concept app disguised as a harmless document that exploits a bug to launch a calculator app. This is a way to show that the bug works without dropping the malware. However, he explained that a malicious attacker could exploit this vulnerability to remotely access a user’s sensitive data simply by tricking the victim into opening a spoofed document.

Fearing that an attacker could exploit this vulnerability, Owens reported a bug to Apple.

Apple told TechCrunch that it fixed a bug in macOS 11.3. Apple also patched previous macOS versions to prevent exploitation and pushed updated rules to macOS’s built-in anti-malware engine, XProtect, to block malware from exploiting the vulnerability. ..

Owens asked Mac security researcher Patrick Wardle to investigate how and why the bug works. In today’s tech blog, Wardle explained that vulnerabilities are triggered by logic bugs in the underlying code of macOS. This bug meant that macOS would misclassify certain app bundles, skip security checks, and allow Owens proof-of-concept apps to run unimpeded.

Simply put, a macOS app is not a single file, but a bundle of various files that your app needs to work. It contains a property list file that tells the application the location of dependent files. However, Owens discovered that if you take this property file and build a bundle with a particular structure, you can trick macOS into opening the bundle and execute code internally without triggering a warning.

Wardle described the bug as describing the security features of macOS as “totally meaningless.” He confirmed that Apple’s security update fixed the bug. “This update will correctly classify applications as bundles, block untrusted and unnotarized applications (again), and protect users,” he told TechCrunch.

Wardle knows how the bug works, so we asked Mac security company Jamf to check if there was evidence that the bug was exploited before Owens discovered it. With Jamf’s detection, Jaron Bradley confirmed that a sample of the Shlayer malware family that exploited the bug was captured in early January, months before Owens’ discovery. Jamf has also published a technical blog post about malware.

“The malware discovered using this technique is an updated version of Shlayer, the first malware family discovered in 2018, because Shlayer is known to be one of the most abundant malware on macOS. , Developed a variety of detections, because of its many variants, and we are closely tracking its evolution, “Bradley told TechCrunch. “One of our findings warned of this new variant. Upon closer inspection, we found that this bypass was used to allow installation without end-user prompts. Further analysis revealed. It is believed that the malware developer discovered zero-day in early 2021 and tuned the malware to use it. “

Shlayer is adware that intercepts encrypted web traffic, including HTTPS-enabled sites, and inserts its own ads to generate fraudulent advertising revenue for operators.

“Often it’s installed by tricking the user into downloading a fake application installer or updater,” Bradley said. “A version of Shlayer that uses this technique bypasses the built-in malware scan and launches without prompting the user for an additional” Are you sure “,” he said.

“The most interesting thing about this variant is that the author got an older version and made minor changes to bypass the security features of macOS,” Bradley said.

Wardle also publishes Python scripts to help users detect past abuses.

This isn’t the first time Shlayer has circumvented macOS protection. Last year, Wardle worked with security researcher Peter Dantini to discover a sample of Shlayer that was incorrectly notarized by Apple. This is the process by which developers send their apps to Apple for security checks so they can run unimpeded on millions of Macs.

