Rewterz Threat Advisory – Slack Patches Critical Desktop Vulnerability
September 2, 2020Rewterz Threat Alert – ProLock Ransomware Exfiltrates Data and Encrypts Files
September 2, 2020Rewterz Threat Advisory – Slack Patches Critical Desktop Vulnerability
September 2, 2020Rewterz Threat Alert – ProLock Ransomware Exfiltrates Data and Encrypts Files
September 2, 2020Severity
High
Analysis Summary
Apple accidentally notarizes Shlayer malware as part of its security notarization process. The notarized malware payloads were discovered in a recent MacOS adware campaign, disguised as Adobe Flash Player updates. The Apple notary service is an automated system on recent macOS versions that scans software (ranging from macOS apps, kernel extensions, disk images and installer packages) for malicious content and checks for code-signing issues. Then, when a macOS user installs the software, Apple’s Gatekeeper security feature notifies them about whether any malicious code was detected before they open it. A website (homebrew[.]sh) was actively hosting an adware campaign. The website is likely spoofing the legitimate Homebrew site (hosted at brew.sh), a free and open-source software package management system that simplifies the installation of software on macOS. When users visited the website, it redirected several times before telling them that their Adobe Flash Player is out of date and recommending an update (via at least three separate pop ups in the browser).
While the campaign seems like a fairly run-of-the-mill adware attack, what’s different is that Apple’s notarization requirements do not trigger a warning notification telling the user that the developer cannot be verified, and that it is unknown whether the app is free from malware.
The notarized payloads appear to be OSX.Shlayer malware. Shlayer is a top common threat for Macs.
As noted, Apple quickly revoked the Developer code-signing certificate(s) that were used to sign the malicious payloads. This occurred on Friday, Aug. 28th.
Interestingly, as of Sunday (Aug 30th) the adware campaign was still live and serving up new payloads. Unfortunately these new payloads are (still) notarized. So Mac users are still not safe from the Shlayer Trojan.
Impact
- Security Bypass
- Detection Evasion
- Unauthorized Access
Indicators of Compromise
Domain Name
- homebrew[.]sh
MD5
- 04e7bae95f86118fd5e347ee43537b06
SHA-256
- 1afcea3625c2725a95e87df1d660130a374c29e98624cb9b51b415c9f5c9e305
SHA1
- 7f79800951160875b94df94bb834c30ad11a9021
Remediation
- Block the threat indicators at their respective controls.
- Only download software from verified official sites.