Apple has released macOS Big Sur 11.3, where fixed a 0-day vulnerability that Shlayer malware operators have already used. The bug allowed malware to bypass Gatekeeper protection, Apple File Quarantine, and the notarization process.
Information security specialist Cedric Owens discovered the CVE-2021-30657 vulnerability. In a blog post, the researcher writes that he applied a new method of packaging unsigned applications for macOS, which makes Gatekeeper believe that the application is notarized and signed. That is, the application of a potential attacker can work without any warnings about its insecurity.
Owens also asked renowned macOS security expert Patrick Wardle to test his findings.
In his own blog, Wardle reports that Owens is completely correct, and also notes that he found malware samples that this vulnerability used for spreading.
Jamf Protect experts also write about this.
According to experts, the vulnerability has been exploited by the Shlayer malware developers since January 2021.
“This is the worst vulnerability in macOS in recent history, and Shlayer is a very advanced malware campaign”, — Patrick Wardle says.
Let me remind you that, according to Kaspersky Lab, Shlayer has been the most widespread threat for macOS for two years already: in 2019, every tenth user of the company’s security solutions encountered this malware at least once, and its share in relation to all detections on this OS is almost 30%.
The first copies of the Shlayer family fell into the hands of researchers back in February 2018, and in early 2020, nearly 32,000 different malicious Trojan samples were collected, and 143 C&C domains were identified.
Most often, Trojans of the Shlayer family download and install various adware applications on users’ devices. In addition, their functionality theoretically allows downloading programs that not only flood users with advertisements, but also spontaneously open advertising pages in browsers and replace search results in order to download even more advertisements.
It is also worth remembering that hackers can switch to more dangerous payloads, such as ransomware or wipers, at any time.
Let me remind you that I also wrote that New PyMICROPSIA malware for Windows can also be used for attacks on Linux and macOS.