Security researchers from Jamf have uncovered a new strain of mac-based malware dubbed Shlayer that bypasses some of macOS built-in protections to include Gatekeeper, Notarization and File Quarantine.
These security technologies are designed to prevent unauthorized software from running on macOS systems.
“The exploit allows unapproved software to run on Mac and is distributed via compromised websites or poisoned search engine results,” Jaron Bradley of Jamf warned in a recent blog post.
Moreover, the Jamf security team found that attackers were using this exploit in the wild since January 9th, 2021 via a variant of the Shlayer adware dropper. This variant was very similar to previous sample discovered by Intego security. However, the new Shlayer malware has been re-packaged to abuse the Gatekeeper bypass vulnerability CVE-2021-30657.
Shlayer attack steps
Jamf described the steps used in Shlayer malware attacks:
- An attacker manually crafts an application bundle by using a script as the main executable (and does not create an Info.plist file).
- An attacker places the malicious application in a dmg for distribution.
- Once the dmg is mounted and app is double-clicked, the script is executed without the quarantine, signature or notarization verification protections.
The vulnerability and malware threat affects any systems running macOS versions 10.15 to 11.2.
Apple patched the Gatekeeper vulnerability CVE-2021-30657 as part of the macOS security updates on April 26 for Big Sur, Catalina, and Mojave.
The flaw was previously discovered by security researcher Cedric Owens, who also wrote about it in a blog post on Medium.
- Apple security updates for iOS 14.5, macOS Big Sur 11.3 and other products (updated)
- XCSSET malware now targets Apple’s macOS 11 and M1-based Macs
- Apple iOS 14.4.2 security update fixes zero-day vulnerability exploited in the wild
- North Korea threat actors use AppleJeus malware to steal cryptocurrency
- Apple releases iOS 14.4 with fixes for 3 zero-days exploited in wild (and other security updates)