Bundlore copyless7/1/2023 However, switch views in the Finder and then toggle hidden files with the key chord Command-Shift-Period, and we can see there’s a bunch of other files hidden away on the disk image. The disk image is typically downloaded by users who have been tricked through social engineering to believing they need to update Adobe Flash player. The image above shows how the Shlayer.a variant presents itself to users when they mount the disk image that contains it. While a scary-looking shell script might put some potential victims on alert, a nice icon like this will look harmless enough to many others. Moreover, with clever uses of aliases and filenames, attackers don’t even need to use an application bundle at all. A python or shell script will do just as well. The second problem was never really a problem to begin with, but it took malware authors a while to either catch on to, or bother to implement, the fact that the file format inside an application bundle can be anything you like – it doesn’t have to be a Mach-O. Instructions like this allow even non-admin users to override Gatekeeper with two-clicks and let the malware launch. Attackers have realized that due to increasing security controls on legitimate applications, many macOS users have become familiarized with the process and are undaunted by the prospect of simply overriding their own security preferences. Shlayer and related adware installers like Bundlore have got around both of these problems with surprising ease. First, they still have to lose the Gatekeeper “quarantine bit” (read here if you’re not familiar with how Gatekeeper works) and second, asking victims to download and execute a sketchy-looking script is not a convincing look for malware that’s trying to pass itself off as a legitimate application. ![]() But scripts have a couple of disadvantages, too. They’re easier to iterate on, they’re harder to scan, and although they can technically be codesigned, they don’t have to be, and that codesigning is in any case a brittle and easily removed extended attribute. Using a scripting language offers attackers a number of advantages. And on top of that, building and compiling new binaries to beat hash and Yara rule checks is also more work for attackers than they would like. The life of a binary file downloaded from the internet is one of a series of hurdles to leap over. Legacy-style AV will scan binaries on execution, while macOS itself will check such binaries for Notarization and codesigning on first launch. The problem with such compiled binaries from a threat actor’s point of view is that they have a lot of code surface for detection. The Mach-O is to macOS what PE is to Windows or ELF to Linux: the standard system executable format at the heart of GUI applications. From adware to OSX.Dok and APT Lazarus group targeted attacks, the first stage infection is typically a standard Apple application bundle containing a malicious Mach-O binary file. Until recently, most threat actors approached macOS infection in pretty much the same way. This method has proven to be an effective means of beating built-in macOS security controls and, indeed, a number of end user protection tools, too. In this post, we’ll explore in more detail the infection method adopted by Shlayer and other malware families recently. ![]() The resounding answer to that is “Yes, of course they do!”, and they’re getting infected at increasing rates because malware authors have adapted and evolved their techniques. ![]() ![]() Research suggesting that 10% of all Kaspersky-protected Macs had been hit by Shlayer malware in 2019 certainly caught the attention of last week’s news cycle, and hopefully it’s the sort of stat that can serve as a wake-up call to those who still ask in 2020 “Do Macs get viruses?” (by which, of course, they mean ‘do Macs get infected with malware?’). The Myth of the Safe Mac is something we’ve written about before, but sometimes it takes a startling statistic to get people’s attention.
0 Comments
Leave a Reply. |