Shlayer macOS malware abuses zero-day to bypass Gatekeeper feature

Pierluigi Paganini April 27, 2021

Apple addresses a zero-day in macOS exploited by Shlayer malware to bypass Apple’s security features and deliver second-stage malicious payloads.

Apple has addressed a zero-day flaw in macOS that was exploited by Shlayer malware to bypass Apple’s File Quarantine, Gatekeeper, and Notarization security checks and download second-stage malicious payloads.

The developers behind the Shlayer malware have successfully managed to get their malicious payloads approved by Apple through its automated notarizing process in order to run on macOS.

Developers have to scan their software for macOS through the automated Apple’s notary service in order to have a green light from the Gatekeeper security feature.

In January 2020, security experts from Kaspersky Lab revealed that the Shlayer malware was the most widespread macOS threat in 2019. Over the years, the malware was continuously improved, it was able to escalate privileges and disable the Gatekeeper feature to run unsigned second-stage malware.

According to the Jamf Protect detection team, early this year threat actors behind the Shlayer malware created unsigned and unnotarized Shlayer samples that exploit a zero-day vulnerability (tracked as CVE-2021-30657). The flaw is a logic issue that could allow the malicious code to bypass Gatekeeper checks.

“Shlayer malware detected allows an attacker to bypass Gatekeeper, Notarization and File Quarantine security technologies in macOS. The exploit allows unapproved software to run on Mac and is distributed via compromised websites or poisoned search engine results.” reads the post published by Jamf Protect.

The latest variant of the malware is being distributed using black SEO and compromised websites, it can be easily executed by simply double-clicking on the malicious file. Experts pointed out that the new variant doesn’t require the right-click method for its execution because the malware comes packaged in the format required to abuse CVE-2021-1810.

Apple has released security to address the vulnerability in macOS Big Sur 11.3 and to prevent the malware from spreading. Once installed the updates, macOS users that will double click on the file will display a message informing them that the app cannot be opened because the developer cannot be identified.

“Since the malicious application is not notarized or signed with a valid developer’s certificate, the message will prompt the user to eject the mounted DMG containing the app bundle.” continues the post.

Jamf also published Indicators of Compromise for this threat.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Mac OS zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment