On April 26th, Apple published an update to macOS patching a security vulnerability disclosed to them by Security Researcher Cedric Owens. The vulnerability bypasses Gatekeeper checks by utilizing stolen Apple Developer IDs, which were used to sign the malware. By signing the malware with these legitimate Apple certificates, the attackers can bypass all quarantine and security mechanisms that would normally prevent installation and execution. Attackers have already taken advantage of this vulnerability across multiple samples studied by Jamf and Patrick Wardle, with the final payload being Shlayer, a common loader for macOS.
Analyst Notes
If organizations are utilizing macOS devices internally, it is important to remind users to update their devices as major security patches like this arise. If organizations have security products like Jamf, remote administration of patching might also be available. A simple python script (scan.py) by Patrick Wardle of Objective-See is provided below to assist in hunting for malware on affected devices.
References:
https://objective-see.com/blog/blog_0x64.html
https://objective-see.com/downloads/blog/blog_0x64/scan.py
https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/
https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508
https://therecord.media/apple-patches-gatekeeper-bypass-bug-abused-by-malware-gang/
