Shlayer malware bypasses Gatekeeper on macOS

Shlayer malware bypasses Gatekeeper on macOS

Security researchers from Jamf have uncovered a new strain of mac-based malware dubbed Shlayer that bypasses some of macOS built-in protections to include Gatekeeper, Notarization and File Quarantine.

These security technologies are designed to prevent unauthorized software from running on macOS systems.

“The exploit allows unapproved software to run on Mac and is distributed via compromised websites or poisoned search engine results,” Jaron Bradley of Jamf warned in a recent blog post.

Moreover, the Jamf security team found that attackers were using this exploit in the wild since January 9th, 2021 via a variant of the Shlayer adware dropper. This variant was very similar to previous sample discovered by Intego security. However, the new Shlayer malware has been re-packaged to abuse the Gatekeeper bypass vulnerability CVE-2021-30657. 

Shlayer attack steps

Jamf described the steps used in Shlayer malware attacks:

  1. An attacker manually crafts an application bundle by using a script as the main executable (and does not create an Info.plist file).
  2. An attacker places the malicious application in a dmg for distribution.
  3. Once the dmg is mounted and app is double-clicked, the script is executed without the quarantine, signature or notarization verification protections.

The vulnerability and malware threat affects any systems running macOS versions 10.15 to 11.2.

Mitigations

Apple patched the Gatekeeper vulnerability CVE-2021-30657 as part of the macOS security updates on April 26 for Big Sur, Catalina, and Mojave.

The flaw was previously discovered by security researcher Cedric Owens, who also wrote about it in a blog post on Medium.

Related Articles