Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.
Hackers have been exploiting a previously unknown bug to hack into an unidentified number of Mac computers, according to security researchers who found the flaw and analyzed it.
The bug allowed hackers to create malware that could take control of a victim's computer, bypassing Apple's security protections on MacOS, such as Gatekeeper, File Quarantine, and app notarization requirements. These mechanisms in theory block files downloaded from the internet from accessing user files unless they are signed by known developers and have been checked by Apple for malicious software, as the company explains in official documentation.
"This is likely the worst or potentially the most impactful bug to everyday macOS users [in recent memory]," Patrick Wardle, an independent researcher who specializes on MacOS, told Motherboard.
A potential victim still had to double-click on a malicious file, but MacOS wouldn't show any alert, prompt, nor block the app from running, according to researchers.
The bug was discovered by security researcher Cedric Owens, who said he reported it to Apple on March 25. On Monday, Apple pushed a patch in the latest version (11.3) of MacOS Big Sur that fixed the bug.
An Apple spokesperson said that the company deployed rules to detect malware abusing this bug to its anti-virus app XProtect. These rules are automatically installed in the background, meaning all MacOS devices, including those running older versions of MacOS will get this protection as well.
"This is likely the worst or potentially the most impactful bug to everyday macOS users [in recent memory],"
Owens agreed with Wardle about how dangerous this bug was.
"This payload is the most dangerous payload I personally have encountered on macOS given that it bypasses Gatekeeper, is not sandboxed, and all the user would need to do is double click," he said in an online chat.
What's worse, at least one group of hackers have been taking advantage of this bug to infect victims for months, according to Jaron Bradley, detections lead at Apple-focused cybersecurity company Jamf Protect.
Bradley said that the malware he discovered in collaboration with Wardle is an updated version of Shlayer, which is designed to install adware on the victims' computers. In 2020, Kaspersky Lab said it found Shlayer in one out of ten Mac computers monitored by the company's antivirus.
"One of our detections alerted us to this new variant, and upon closer inspection we discovered its use of this bypass to allow it to be installed without an end user prompt," Bradley said in an online chat. "Further analysis leads us to believe that the developers of the malware discovered the zero day and adjusted their malware to use it in early 2021."
Do you research vulnerabilities on Apple's products? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
The first version of Shlayer that was taking advantage of this bug was dated January 9, 2021, according to Bradley.
In its technical analysis of this malware, Jamf researchers said that it was designed to spread via "poisoned search engine results."
"In a real-world example, users could potentially stumble upon malware when searching for any commonly used terms," Bradley and his colleagues wrote.
Owens explained that the bug was in something called syspolicyd, which is tasked with assessing applications before they run. Owens said he found that he could masquerade a shell script as an app, and trick Gatekeeper into not checking it when a user double-clicked on the malicious app.
This is the latest example of Mac malware in the wild.
Earlier this year, security company Red Canary found a malware called Silver Sparrow, which another security company detected on around 30,000 computers. Around the same time, Wardle found another piece of Mac malware written specifically for Apple's new M1 processors.
Subscribe to our cybersecurity podcast CYBER, here.