New Mac malware uses 'novel' tactic to bypass macOS Catalina security

Posted:
in General Discussion
Security researchers at antivirus firm Intego have discovered a new Mac malware in the wild that tricks users into bypassing modern macOS app security protections.

A new piece of Mac malware can bypass macOS Catalina security restrictions.
A new piece of Mac malware can bypass macOS Catalina security restrictions.


In macOS Catalina, Apple introduced new app notarization requirements. The features, baked in Gatekeeper, discourage users from opening unverified apps -- requiring malware authors to get more creative with their tactics.

As an example, Intego researchers have discovered a new Trojan horse malware actively spreading in the wild via poisoned Google search results that tricks users into bypassing those protections themselves.

The malware is delivered as a .dmg disk image masquerading as an Adobe Flash installer. But once it's mounted on a user's machine, it displays instructions guiding users through the malicious installation process.

The normal prompt that appears when an unverified button is clicked. Credit: Intego
The normal prompt that appears when an unverified button is clicked. Credit: Intego


In a tactic described by Intego as "novel," the malware asks users to right-click and open the malware instead of double-clicking it. Per macOS Catalina Gatekeeper settings, this displays a dialogue box that has an "Open" button. Normally, when clicking an unverified file, Apple doesn't allow users to open them so conveniently.

Right-clicking and opening a file allows users to run unverified software more easily. Credit: Intego
Right-clicking and opening a file allows users to run unverified software more easily. Credit: Intego


Normally, macOS discourages users from opening unverified apps by making the process more difficult. Specifically, forcing users to head into System Preferences to override Gatekeeper. The strategy also saves bad actors from signing up for an Apple Developer account or hijacking an existing one.

Once users actually open the installer app, it runs a bash shell script and extracts a password-protected .zip file that contains a more traditional malicious app bundle. Although it initially installs a legitimate version of Flash, Intego notes that it can also be used to download "any other Mac malware or adware package."

Interestingly, the malware has been spread via Google search results that redirect users to malicious webpages claiming that a browser's Flash Player is out of date. Intego added that the malware has, thus far, been able to avoid detection by most antivirus software.

The actual malicious portions of the malware are re-engineered variants of past macOS Trojans, such as Shlayer or Bundlore. Intego also spotted similar security-evading malware in 2019.

Who's at risk and how to avoid it

Even though Adobe Flash player will officially reach its end of life on Dec. 31, 2020, Intego notes that "outdated Flash" malware tends to be pretty successful. The aforementioned Shlayer Trojan, for example, infects about one in 10 Mac users.

Since the malware is actively spreading via Google search results, the risk for compromise is a bit higher. Intego notes that it appears when users search for the exact titles of YouTube videos.

Users can avoid this malware by only clicking on links that they absolutely trust. If any website asks you to download something unsolicited, get out of there.

Indicators of compromise can include the following apps: flashInstaller.dmv in Downloads; a FlashInstaller.zip file or a file named "Installer" in a subfolder in private/var/folders.

Intego notes that several domains -- including youdontcare.com, display.monster, yougotupdated.com and installerapi.com -- have been associated with this campaign. Any traffic to or from these domains "should be considered a possible sign of an infection," the researchers said.

Comments

  • Reply 1 of 15
    rob53rob53 Posts: 2,559member
    I should be fine. Don't use Google search and will never install Flash ever again. Apple should treat anything related to Flash as malware, especially since it has always been the easiest way to infect Macs (outside Word malware). I know there are people who still use and develop in Flash but let's move on. 
    razorpitviclauyycrotateleftbyteGG1lkruppjony0cat52watto_cobraols
  • Reply 2 of 15
    neilmneilm Posts: 893member
    Which is worse, a real Flash installer or a fake one? It's a toss-up.

    Just say no to Flash has been the watchword for years. Fortunately, Flash will be saying no to us all at the end of the year, as Adobe closes it down.

    Meanwhile, if you use some kind of legacy service that requires Flash, stop!
    edited June 2020 viclauyycGG1DAalsethlkruppjony0watto_cobraols
  • Reply 3 of 15
    rob53 said:
    I should be fine. Don't use Google search and will never install Flash ever again.
    Well Said. This is exactly the advice that I've been giving out for around six years. I removed Flash from my old MBP in 2014 and have never needed to install it again. Any website that demands it gets ignored withing a few seconds. Thankfully, they are reducing in number.
    watto_cobraols
  • Reply 4 of 15
    anantksundaramanantksundaram Posts: 20,185member
    I am old enough to remember — can’t believe it was over 13 years ago! — SJ saying Flash was crap, and taking so much heat for it. 
    lkruppcat52watto_cobraols
  • Reply 5 of 15
    dysamoriadysamoria Posts: 3,393member
    Wait. Who’s still using Flash on websites? I haven’t been to Fat-Pie or Home Star Runner in years and I think they just publish videos now anyway. I’m sure it’s still great to have as an animation tool, but not as a browser plugin or web feature.
  • Reply 6 of 15
    shaminoshamino Posts: 473member
    Fortunately, the need for Flash is pretty low these days.  And Adobe themselves will be dropping it on December 31st.  So there's probably little reason to keep it around.

    That having been said, trojans like this are nothing new.  Corrupted/hacked web pages have been linking to fake software installers for a very very long time.  The way to guard against them today is the same as it has always been:  Only download installers/updaters directly from the manufacturer's official download site.  Don't trust anything from any other source.

    In the case of Flash Player, once it is (legitimately) installed, the easiest approach is to configure it for automatic updates.  It does a very good job of keeping the installation current.  If you should ever worry that your version is out of date, go to its preference panel (in System Settings) and click the "Check Now" button on the Updates tab.  Let it check itself.

    And if you're worried about zero-day exploits in Flash, use the protection features that most web browsers include.  Use Firefox's "Ask To Activate" feature (or equivalent features in Chrome and Safari) so the plugin will only load on web pages where you have explicitly authorized it.  You can authorize it for the (probably very small) number of web sites that legitimately need it and leave it disabled everywhere else.
    watto_cobra
  • Reply 7 of 15
    lkrupplkrupp Posts: 9,287member

    The malware is delivered as a .dmg disk image masquerading as an Adobe Flash installer.



    Nuff said. Stupid is as stupid does. I haven't run into a website that requires Flash in over two years now but I do sometimes get Flash update popups even though I don't have Flash installed. Some users will click on anything to get to something they want
    watto_cobra
  • Reply 8 of 15
    sflocalsflocal Posts: 5,653member
    I am old enough to remember — can’t believe it was over 13 years ago! — SJ saying Flash was crap, and taking so much heat for it. 
    Yep.  I distinctly remember all the back-and-forth chest-thumping of the Flash-Fanboys giving Apple crap for not allowing Flash on the iPhone, and how Adobe was trying to spread its propaganda nonsense about how unfair Apple was being for not supporting Flash on the iPhone.

    Where are those whiners now?  As usual, they are suspiciously silent.
    jony0watto_cobraols
  • Reply 9 of 15
    sflocalsflocal Posts: 5,653member

    lkrupp said:

    The malware is delivered as a .dmg disk image masquerading as an Adobe Flash installer.



    Nuff said. Stupid is as stupid does. I haven't run into a website that requires Flash in over two years now but I do sometimes get Flash update popups even though I don't have Flash installed. Some users will click on anything to get to something they want
    Every so often I still get sites that have been hijacked informing me that "My flash player is out of date and needs to be updated".  That right there gets and immediate window shut-down.

    That being said, I do have clients that still fall for that Flash window and do click on it.  Sad.
    watto_cobraols
  • Reply 10 of 15
    digitoldigitol Posts: 237member
    Mac os x security is a misnomer and a joke. All my macs have it all disabled, as it gets in the way more than it protects. Freeware. :D 
  • Reply 11 of 15
    MplsPMplsP Posts: 3,142member
    This doesn’t just affect google search results - I have had ads on reputable websites that hijack the page and tell me my flash player is out of date. It’s especially amusing when it happens on my iPad or iPhone. Thankfully, Steve Jobs made sure Flash was out of date on these the day they were made!

    I agree with SJ - Flash is trash and one of the biggest security holes on any platform. The problem is I have a site I need for work that uses it so I’m forced to install it. :/
    watto_cobraols
  • Reply 12 of 15
    auxioauxio Posts: 2,296member
    sflocal said:
    I am old enough to remember — can’t believe it was over 13 years ago! — SJ saying Flash was crap, and taking so much heat for it. 
    Yep.  I distinctly remember all the back-and-forth chest-thumping of the Flash-Fanboys giving Apple crap for not allowing Flash on the iPhone, and how Adobe was trying to spread its propaganda nonsense about how unfair Apple was being for not supporting Flash on the iPhone.

    Where are those whiners now?  As usual, they are suspiciously silent.
    Not to mention that competitors like Android were using Flash support as a "feature" which made them better than iPhone.  Until people actually used it on a phone and realized how crap the experience was since many Flash sites relied on features like mouse hover effects which were useless on a touch-based device.
    watto_cobra
  • Reply 13 of 15
    I cannot believe anyone is still falling for this.  Adobe Flash? Delete.
    watto_cobraols
  • Reply 14 of 15
    mattinozmattinoz Posts: 1,597member
    Any malware using Flash install as vector is not novel.
    The real question is how many years it's still going to keep working with Flash EOL'ed?

    edited June 2020 watto_cobra
  • Reply 15 of 15
    tyzingtyzing Posts: 1member
    I have a folder called "INSTALL" in my VAR folder, can't gain access...any reasons to be worried?
    watto_cobra
Sign In or Register to comment.