fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Malware Authors Trick Apple Into Trusting Malicious Shlayer Apps

Malware Authors Trick Apple Into Trusting Malicious Shlayer Apps

Malware authors trick Apple into trusting malicious Shlayer apps

The authors of the Mac malware known as Shlayer have successfully managed to get their malicious payloads through Apple’s automated notarizing process.

Since February 2020 all Mac software distributed outside of its Mac App Store must be notarized by Apple to be able to run on macOS Catalina and above.

The notarization process requires developers to submit software they built for the macOS platform to be scanned through Apple’s notary service, an automated system designed to scan submitted software for both malicious components and code-signing issues.

If they pass this automated security check, the apps are allowed by the macOS Gatekeeper — a macOS security feature that checks if downloaded apps have been checked for known malicious content — to run on the system.

As Apple describes this process, “[i]f there’s ever a problem with an app, Apple can quickly stop new installations and even block the app from launching again.”

Apple’s notarization process failed

Although the company says that notarizing macOS software is designed to give “users more confidence that the Developer ID-signed software you distribute has been checked by Apple for malicious components,” as discovered by Peter Dantini last week, Apple was tricked into notarizing Shlayer malware samples.

He discovered notarized Shlayer adware installers being distributed through a fake and malicious Homebrew website, installers that could be executed on any Mac running macOS Catalina without being automatically blocked on launch.

This allowed the threat actors behind this adware campaign to deliver their payloads to systems where the installers would have been previously blocked.

Security researcher Patrick Wardle confirmed that these installers were indeed delivering Shlayer adware samples notarized by Apple, which means that they can also infect users running the company’s latest macOS 11.0 Big Sur version.

Even worse, given that the samples had Apple’s seal of approval, users might trust them without thinking twice thus allowing the malware developers to spread their payloads to an even higher number of systems, dropping a persistent Bundlore adware variant on infected Macs.

After Wardle reported the notarized malware samples to Apple, the company reacted immediately and revoked the certificates (which means that they will automatically be prevented by Gatekeeper) the same day, on August 28.

Shlayer malware sample blocked by Gatekeeper
Shlayer malware sample blocked by Gatekeeper (Patrick Wardle)

However, over the weekend, the researcher found that the Shlayer campaign was still going strong, serving new payloads notarized the day Apple revoked the initial sample’s certificates.

“Both the old and ‘new’ payload(s) appears to be nearly identical, containing OSX.Shlayer packaged with the Bundlore adware,” Wardle said.

“However the attackers’ ability to agilely continue their attack (with other notarized payloads) is noteworthy.

“Clearly, in the never-ending cat & mouse game between the attackers and Apple, the attackers are currently (still) winning.”

Also read: NDA Data Protection: The Importance, Its Meaning And Laws

The Shlayer macOS malware

Even though some Mac users think that malware only targets Windows and that Macs are virtually safe, Shlayer has been observed attacking over 10% of all Macs according to a Kaspersky report from January 2020.

Last year, a Shlayer variant was observed in the wild by Carbon Black’s Threat Analysis Unit while escalating privileges using a two-year-old technique and disabling Gatekeeper’s protection mechanism altogether to run unsigned second stage payloads.

Shlayer was first spotted by Intego’s research team while being distributed as part of a malware campaign in February 2018, disguised as a fake Adobe Flash Player installer just as many other malware families targeting the macOS platform.

Just as it did in the past, the newer malware versions are distributed as malicious Adobe Flash software update installers but, unlike the original ones which were pushed through torrent sites, Shlayer is now spreading via fake update pop-ups shown to potential victims on hijacked domains or clones of legitimate sites, or as part of far-reaching malvertising campaigns on legitimate websites.

After it infects a Mac, Shlayer will install the mitmdump proxy software and a trusted certificate so it can analyze and modify HTTPS traffic, allowing it to inject ads web pages, monitor the victims’ browser traffic, as well as to inject malicious scripts into visited sites.

To make things worse, this also allows the malware to analyze and alter all traffic, even encrypted traffic such as online banking and secure email.

Besides deploying the traffic monitoring proxy on compromised machines, Shlayer’s authors are currently only deploying adware as a secondary payload but they can switch payloads at any time to drop more dangerous malware strains like ransomware or wipers.

Also read: Intrusion Into Privacy All About Law And Legal Definition

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us