Hackers abused a macOS security hole to infect users via poisoned search results MacBook

If you haven’t updated to the latest version of macOS yet, now is the time to do so as security researchers have identified a new campaign that uses fake application bundles to install malware on the Macs of unsuspecting users.

In a recent blog post, the mac malware specialists at Objective-See described an exploit that could allow an attacker to create a fake application bundle using a script as the primary executable in order to bypass File Quarantine, Gatekeeper and Notarization on macOS. 

While this exploit only works on versions of macOS before 11.3, the detections team at Jamf Protect has observed this exploit being used in the wild by a variant of the Shlayer malware used to drop adware. This new variant has also been repackaged to use a format necessary for carrying out the Gatekeeper bypass vulnerability.

One of the ways in which this campaign is spread is via poisoned search results. Cybercriminals often create fake webpages and hijack the results of search engines in order to spread malware and other viruses. This is why users must remain vigilant online even when using a legitimate search engine like Google.

Abusing Gatekeeper bypass

In order to abuse this vulnerability, an attacker would need to craft an application bundle using a script as the main executable and not create an Info.plist file. This application would then need to be placed into a dmg file for distribution. When the dmg is mounted and double clicked, the combination of a script-based application with no Info.plist file executes without any quarantine, signature or notarization verification.

Updating your Mac to the latest version of macOS is the easiest way to prevent falling victim to any attacks launched using this method as this vulnerability was patched with the release of macOS version 11.3 earlier today. If a user tries to execute the Shlayer malware on a patched version of macOS, they will see a pop-up which says that the software “cannot be opened because the developer cannot be identified”.

While macOS users running the latest version of Apple’s operating system are protected for now, the detections team at Jamf Protect makes the point in a new blog post that “Shlayer continues to reintroduce itself with innovative ways to infect macOS-based systems”.

As Macs have become more prevalent in the workplace as business laptops, cybercriminals have taken notice and they are now actively developing Mac malware to infect even more users.

social experiment by Livio Acerbo #greengroundit #techradar https://www.techradar.com/news/hackers-abused-a-macos-security-hole-to-infect-users-via-poisoned-search-results/