Shlayer Malware Disables macOS Gatekeeper To Run Unsigned Payloads

A new variant of the multi-stage Shlayer malware known to target macOS users has been observed in the wild, now being capable to escalate privileges using a two-year-old technique and to disable the Gatekeeper protection mechanism to run unsigned second stage payloads. Bleeping Computer reports: This new Shlayer variant unearthed by Carbon Black's Threat Analysis Unit (TAU) targets all macOS releases up to the latest 10.14.3 Mojave, and will arrive on the targets' machines as a DMG, PKG, ISO, or ZIP files, some of them also signed with a valid Apple developer ID to make them look legitimate. Shlayer samples found by TAU also use malicious shell scripts to download additional payloads just like older installments did, and, in the case of samples distributed as DMG images, will surreptitiously launch a .command script in the background after the user launches the fake Flash installer. The malicious script included in the DMG is encoded using base64 and will decrypt a second AES encrypted script which will be executed automatically after being decrypted.

One it successfully downloads the second stage malware payload, Shlayer will "to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline," presented by Patrick Wardle in his Death by 1000 Installers talk at DEFCON 2017. The next step is to download extra payloads which all contain adware according to TAU and it makes sure they'll be able to run on the compromised Mac by disabling the Gatekeeper protection mechanism. After this is accomplished, all extra payloads downloaded and launched by Shlayer will be seen as whitelisted software because the OS will no longer check if they are signed with an Apple developer ID. Also, just in case the malware is not able to disable Gatekeeper on the infected Mac, some of the second stage payloads are also signed with valid developer IDs.

2 issues it seams

[G00F]

Also, just in case the malware is not able to disable Gatekeeper on the infected Mac, some of the second stage payloads are also signed with valid developer IDs.

So, this would infect people even if Apple fixes the bug right? The fact they can side step checks using signed code is a big deal by itself.

I'm guessing those devel's got cracked, and have some work ahead of them...

Re: 2 issues it seams

If it uses sudo to escalate privileges, feels to me the right thing is to uninstall sudo (can you in a mac?) And stick with su if root access is dear ly needed.

Re:2 issues it seams

[93+Escort+Wagon]

So, this would infect people even if Apple fixes the bug right?

I believe the 2017 security_authtrampoline issue was patched quite some time ago. Assuming that’s the case, this would require some additional social engineering to work. However, as we’ve seen many times before, people are almost always the weakest link in the security chain - so...

Re:2 issues it seams

[Jeremi]

Presumably Apple will be blacklisting the compromised developer IDs in the very near future, if they haven't done so already.

Re:2 issues it seams

It was fixed after Wardle reported it to Apple, more than a year ago. Macs are protected if they are running the current 10.12 (Sierra) 10.13 (High Sierra), or 10.14 (Mojave).

Re:2 issues it seams

[NicBenjamin]

Won't help most people who were dumb enough to run this program. You have to a) choose to pirate security software via bittorrent, b) not notice the version number is years out-of-date, and c) not realize the executable code in the files you downloaded are actually Windows code. Adding d) click the "run non-signed software" button is not gonna be terribly useful.

Re: but but but

This still requires a user to actively run a process. Hardly the stuff of the windows driveby malware.

The Fix is here...

Just download this executable to secure your mac: <a href="badguysite.org/install-malware.dmg">Antivirus</a>

Re: but but but

Not a virus. Requires you to download and open it. No machine or OS is protected against stupid users.

Classic Trojan horse?

[ctilsie242]

I don't know what Apple can do about something like this. A valid dev ID can allow software to run as root with full root privs. The only way I can see Apple fixing this is moving the Gatekeeper options to the same place where one sets the T2 boot security via recovery mode, where it is inaccessible in the normal OS.

(IIRC) Ages ago, Sprint required signed code on all their smartphones (this was pre-iPhone, and smartphones were a different type of device than PDA-phones, so they had mainly Windows Mobile offerings.) As a requirement, all code signing keys came on physical smart cards (Aladdin eTokens to be specific.) It was Draconian, but at the time, it did a decent job at ensuring nobody could snatch a developer's key and make off with it. Maybe Apple should have as an option, an Apple HSM (perhaps a rebranded YubiKey HSM) so developers have a physical device that the key never leaves, and a physical button which must be pressed for a signing to actually happen (i.e. a remote attacker will be stuck waiting for the physical YubiKey button press.)

By having the key in a HSM, even without Yubikey's physical authentication, it will ensure that at worst, an attacker has to log on and use the HSM for nefarious reasons, but couldn't grab the key from it.

Re:Classic Trojan horse?

[guruevi]

In many cases these certs are gotten by posing as a legitimate developer to Apple and then signing malware with it. They actually pay the $99, often with a stolen credit card and will even publish "legitimate" apps (often rebranded/recompiled crap) before starting a campaign.

Re:Classic Trojan horse?

[AHuxley]

The all extra payloads that have to be downloaded is the only tell as the "software" is trusted/approved by the OS.

Re: but but but

Except this is an actual software installer. You've got to type your password. It isn't like a .doc vulnerability.

I thought the whole idea of Apple-vetted

[presidenteloco]

Developer ids and signed software was to provide a level of assurance to the downloader user.

Clearly these developer ids should be invalidated (revoked) in a MacOS update, no?

Re:I thought the whole idea of Apple-vetted

[scdeimos]

Developer ids and signed software was to provide a level of assurance to the downloader user.

No they weren't. It's to confirm that the software came from the identified party, it doesn't provide any guarantee that the enclosed software is all nice and pretty and not going to completely fuck over your computer. This is the same problem is SSL/TLS certificates on HTTPS sites - people mistakenly assume trust where it's only conveying identity.

Clearly these developer ids should be invalidated (revoked) in a MacOS update, no?

Yes.

Re:I thought the whole idea of Apple-vetted

[jpaine619]

Wrong. I can give my SSL key to anyone. That person can use it to spy on the traffic.

Generally, outside of a few aberrations, SSL certs are given to the owner of a domain. i.e. You know you've landed at moron.com because the SSL cert was given to moron.com. Attaching the SSL cert to any domain other than moron.com is going to result in an error. Thus the primary reason to use a signed cert it to prove IDENTITY.

What about a public registry

[presidenteloco]

of developer real-world identity (corportate and/or personal) for each developer id.

And a requirement that developers buy into an insurance plan so that if their developer id is used for malware, end-users can file a class-action lawsuit against the developer and recover damages via the insurance pool.

Or better yet, rather than a cumbersome class-action, have a pre-setup mediation service administered by Apple.

Re:What about a public registry

[presidenteloco]

No. Not everyone needs a unique verifiable id. Only if you want to publish software to users of an attempting-to-be-secure platform.

Re: Slashvertisement for Intego Virus software

[jpaine619]

Gates or Borg" in his parent's basement in Wisconsin.

It's Gates of Borg.. i.e. they are one and the same.

Re:Once again: So much for 'code signing' bs... ap

Right as rain as usual APK. So much that the troll morons that stalk you as unidentifiable anonymous and impersonate you are out in force.

In other news...

People just bypass the sandbox anyway since many freely available packages aren't signed.

Re:Once again: So much for 'code signing' bs... ap

APK you really shouldn't talk to your self, especially in the 3rd person. It doesn't make you look mentally stable but then even your regular posts don't make you look mentally stable.

Re: but but but

[mvreijn]

Yeeeees, well, have you read the article in the link? I wonder how many people you deem 'stupid' will follow a Flash player update installer prompt after visiting a website. Probably most. Even you.