Security researchers discovered an unusual malware campaign targeting Mac computers that gets around the security mechanisms built into macOS Catalina.
The devious scheme recently added to Mac malware makers’ genre allows harmful code to bypass Apple’s app notarization process. This security routine has been a part of the Gatekeeper feature since the October 2019 release of macOS Catalina 10.15. It raised the entry bar for suspicious software by displaying a popup alert whenever a user tries to execute an unverified program. Ideally, this mechanism should be effective enough to stop sketchy installations in their tracks, with the only options shown to the user being “Move to Trash” and “Cancel”. A new Trojan distribution wave spotted by analysts at cybersecurity firm Intego pulls a clever trick to get around these rigid software trustworthiness requirements. Essentially, it misleads would-be victims into taking a non-standard route in terms of the installation. Instead of double-clicking on the installer, which is the convention way, they are instructed to control-click on it first, and then to click Open on the follow-up dialog.
This stratagem commences with the old-school search results poisoning hoax. The operators of two notorious Mac malware lineages, Shlayer and Bundlore, have set up a series of booby-trapped websites hosting application bundles camouflaged as Adobe Flash Player updaters. To make their dodgy web pages show up high in Google SERPs (search engine results pages) for a while, the felons add some black hat SEO to the mix. This way, popular search requests lead unsuspecting users to Trojan-riddled landing pages that tout malicious downloads under the guise of alerts saying, “Adobe Flash Player is out of date”. The corresponding disk image then displays steps to get the tool up and running – as previously stated, it tells the Mac user to right-click on it. This results in an extra popup dialog that actually contains an option to open the application, which would otherwise be missing as per app notarization criteria mentioned above.
At the next stage of the attack, a bash shell script is triggered behind the scenes and extracts a ZIP archive with the harmful bundle in it. To smokescreen the malware infiltration, the app downloads a valid copy of the Flash Player while additionally pulling the opportunistic Trojan inside. It’s worth pointing out that the ZIP object is password-protected. Pair this with the fact that it is reliably obfuscated by means of a bash shell script, and it becomes apparent that the cybercrooks are increasingly thinking outside the box to make sure their products fly below the radar of the macOS native protection instruments.
To prevent their dodgy sites from being blacklisted or de-indexed, malware authors tend to engage a dynamic content approach. It means that the materials they render when being crawled by the search engine can be different from the content shown to a regular user who goes to the page by entering its URL in a web browser. In the case of this particular distribution wave, the site is going to assume a different look when visited after clicking on a link in search results. This mix of techniques makes the ongoing malware campaign a moving target. Under the circumstances, one of the most efficient methods to avoid being hit is to stay away from Flash Player updates promoted on sites unrelated to the official Adobe resources.