Security News > 2020 > September > Apple-notarized malware foils macOS defenses
Shlayer adware creators have found a way to get their malicious payload notarized by Apple, allowing it to bypass anti-malware checks performed by macOS before installing any software.
The first known instance of notarized macOS malware was discovered last week, by a college student who noticed that people who want to download Homebrew and make the mistake of entering the wrong URL are getting served with a warning saying their Adobe Flash Player is out of date and offering an update for download. Security researcher Patrick Wardle analyzed the served package and confirmed that it is not an update, but a notarized version of the macOS Shlayer adware, which doesn't get detected as malicious by Gatekeeper.
"We're still not exactly sure what the Shlayer folks did to get their malware notarized, but increasingly, it's looking like they did nothing at all," said Apple security expert Thomas Reed, who compared the code of the notarized and that of an older Shlayer sample and spotted minor changes.
"It's entirely possible that something in this code, somewhere, was modified to break any detection that Apple might have had for this adware. Without knowing how Apple was detecting the older sample, it would be quite difficult to identify whether any changes were made to the notarized sample that would break that detection," he pointed out.
Two days later the adware delivery campaign was still going strong: it was serving another Shlayer sample that had been notarized with another Apple Developer ID. "The attackers' ability to agilely continue their attack is noteworthy. Clearly in the never ending cat & mouse game between the attackers and Apple, the attackers are currently winning," Wardle commented.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/L55a_KYcb7c/
Related news
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS (source)
- North Korean hackers use new macOS malware against crypto firms (source)
- North Korean Hackers Target macOS Using Flutter-Embedded Malware (source)
- New RustyAttr Malware Targets macOS Through Extended Attribute Abuse (source)
- Apple fixes 2 zero-days exploited to breach macOS systems (CVE-2024-44309, CVE-2024-44308) (source)
- Windows, macOS users targeted with crypto-and-info-stealing malware (source)
- Bitter APT Targets Turkish Defense Sector with WmRAT and MiyaRAT Malware (source)
- 'Bitter' cyberspies target defense orgs with new MiyaRAT malware (source)