Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
OS X Desktops (Apple) Operating Systems Security Software Technology

Shlayer Malware Disables macOS Gatekeeper To Run Unsigned Payloads (bleepingcomputer.com) 91

A new variant of the multi-stage Shlayer malware known to target macOS users has been observed in the wild, now being capable to escalate privileges using a two-year-old technique and to disable the Gatekeeper protection mechanism to run unsigned second stage payloads. Bleeping Computer reports: This new Shlayer variant unearthed by Carbon Black's Threat Analysis Unit (TAU) targets all macOS releases up to the latest 10.14.3 Mojave, and will arrive on the targets' machines as a DMG, PKG, ISO, or ZIP files, some of them also signed with a valid Apple developer ID to make them look legitimate. Shlayer samples found by TAU also use malicious shell scripts to download additional payloads just like older installments did, and, in the case of samples distributed as DMG images, will surreptitiously launch a .command script in the background after the user launches the fake Flash installer. The malicious script included in the DMG is encoded using base64 and will decrypt a second AES encrypted script which will be executed automatically after being decrypted.

One it successfully downloads the second stage malware payload, Shlayer will "to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline," presented by Patrick Wardle in his Death by 1000 Installers talk at DEFCON 2017. The next step is to download extra payloads which all contain adware according to TAU and it makes sure they'll be able to run on the compromised Mac by disabling the Gatekeeper protection mechanism. After this is accomplished, all extra payloads downloaded and launched by Shlayer will be seen as whitelisted software because the OS will no longer check if they are signed with an Apple developer ID. Also, just in case the malware is not able to disable Gatekeeper on the infected Mac, some of the second stage payloads are also signed with valid developer IDs.

This discussion has been archived. No new comments can be posted.

Shlayer Malware Disables macOS Gatekeeper To Run Unsigned Payloads

Comments Filter:
  • Also, just in case the malware is not able to disable Gatekeeper on the infected Mac, some of the second stage payloads are also signed with valid developer IDs.

    So, this would infect people even if Apple fixes the bug right? The fact they can side step checks using signed code is a big deal by itself.

    I'm guessing those devel's got cracked, and have some work ahead of them...

    • by Anonymous Coward

      If it uses sudo to escalate privileges, feels to me the right thing is to uninstall sudo (can you in a mac?) And stick with su if root access is dear ly needed.

    • So, this would infect people even if Apple fixes the bug right?

      I believe the 2017 security_authtrampoline issue was patched quite some time ago. Assuming that’s the case, this would require some additional social engineering to work. However, as we’ve seen many times before, people are almost always the weakest link in the security chain - so...

      • by Anonymous Coward

        It was fixed after Wardle reported it to Apple, more than a year ago. Macs are protected if they are running the current 10.12 (Sierra) 10.13 (High Sierra), or 10.14 (Mojave).

    • by Jeremi ( 14640 )

      Presumably Apple will be blacklisting the compromised developer IDs in the very near future, if they haven't done so already.

      • Won't help most people who were dumb enough to run this program. You have to a) choose to pirate security software via bittorrent, b) not notice the version number is years out-of-date, and c) not realize the executable code in the files you downloaded are actually Windows code. Adding d) click the "run non-signed software" button is not gonna be terribly useful.

  • by Anonymous Coward

    Just download this executable to secure your mac: <a href="badguysite.org/install-malware.dmg">Antivirus</a>

  • I don't know what Apple can do about something like this. A valid dev ID can allow software to run as root with full root privs. The only way I can see Apple fixing this is moving the Gatekeeper options to the same place where one sets the T2 boot security via recovery mode, where it is inaccessible in the normal OS.

    (IIRC) Ages ago, Sprint required signed code on all their smartphones (this was pre-iPhone, and smartphones were a different type of device than PDA-phones, so they had mainly Windows Mobile o

    • by guruevi ( 827432 )

      In many cases these certs are gotten by posing as a legitimate developer to Apple and then signing malware with it. They actually pay the $99, often with a stolen credit card and will even publish "legitimate" apps (often rebranded/recompiled crap) before starting a campaign.

    • by AHuxley ( 892839 )
      The all extra payloads that have to be downloaded is the only tell as the "software" is trusted/approved by the OS.
  • by Anonymous Coward

    People just bypass the sandbox anyway since many freely available packages aren't signed.

Hotels are tired of getting ripped off. I checked into a hotel and they had towels from my house. -- Mark Guido

Working...