Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Shlayer macOS malware abuses zero-day to bypass Gatekeeper feature

Apple addresses a zero-day in macOS exploited by Shlayer malware to bypass Apple’s security features and deliver second-stage malicious payloads. Apple has addressed a zero-day flaw in macOS that was exploited by Shlayer malware to bypass Apple’s File Quarantine, Gatekeeper, and Notarization security checks and download second-stage malicious payloads. The developers behind the Shlayer malware have successfully […]

Shlayer macOS malware abuses zero-day to bypass Gatekeeper feature

Apple addresses a zero-day in macOS exploited by Shlayer malware to bypass Apple’s security features and deliver second-stage malicious payloads.

Apple has addressed a zero-day flaw in macOS that was exploited by Shlayer malware to bypass Apple’s File Quarantine, Gatekeeper, and Notarization security checks and download second-stage malicious payloads.

The developers behind the Shlayer malware have successfully managed to get their malicious payloads approved by Apple through its automated notarizing process in order to run on macOS.

Developers have to scan their software for macOS through the automated Apple’s notary service in order to have a green light from the Gatekeeper security feature.

In January 2020, security experts from Kaspersky Lab revealed that the Shlayer malware was the most widespread macOS threat in 2019. Over the years, the malware was continuously improved, it was able to escalate privileges and disable the Gatekeeper feature to run unsigned second-stage malware.

According to the Jamf Protect detection team, early this year threat actors behind the Shlayer malware created unsigned and unnotarized Shlayer samples that exploit a zero-day vulnerability (tracked as CVE-2021-30657). The flaw is a logic issue that could allow the malicious code to bypass Gatekeeper checks.

“Shlayer malware detected allows an attacker to bypass Gatekeeper, Notarization and File Quarantine security technologies in macOS. The exploit allows unapproved software to run on Mac and is distributed via compromised websites or poisoned search engine results.” reads the post published by Jamf Protect.

The latest variant of the malware is being distributed using black SEO and compromised websites, it can be easily executed by simply double-clicking on the malicious file. Experts pointed out that the new variant doesn’t require the right-click method for its execution because the malware comes packaged in the format required to abuse CVE-2021-1810.

Apple has released security to address the vulnerability in macOS Big Sur 11.3 and to prevent the malware from spreading. Once installed the updates, macOS users that will double click on the file will display a message informing them that the app cannot be opened because the developer cannot be identified.

“Since the malicious application is not notarized or signed with a valid developer’s certificate, the message will prompt the user to eject the mounted DMG containing the app bundle.” continues the post.

Jamf also published Indicators of Compromise for this threat.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Mac OS zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]