macOS Catalina Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/macos-catalina/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Mon, 26 Oct 2020 23:28:51 +0000 en-US hourly 1 https://wordpress.org/?v=76115 200474804 Attackers again deceived Apple’s notarization process https://gridinsoft.com/blogs/attackers-again-deceived-apples-notarization-process/ https://gridinsoft.com/blogs/attackers-again-deceived-apples-notarization-process/#respond Mon, 26 Oct 2020 23:28:51 +0000 https://blog.gridinsoft.com/?p=4478 In September 2020, I talked about how the Shlayer malware successfully passed the notarization process and was able to run on any Mac running macOS Catalina and newer. Now there is information that the attackers again deceived the notarization process. Apple introduced the “notarization process” security mechanism in February of this year: any Mac software… Continue reading Attackers again deceived Apple’s notarization process

The post Attackers again deceived Apple’s notarization process appeared first on Gridinsoft Blog.

]]>
In September 2020, I talked about how the Shlayer malware successfully passed the notarization process and was able to run on any Mac running macOS Catalina and newer. Now there is information that the attackers again deceived the notarization process.

Apple introduced the “notarization process” security mechanism in February of this year: any Mac software distributed outside the App Store must undergo a notarization procedure so that it can run on macOS Catalina and above.

Basically, any Mac software now has to go through an automated scan at Apple for malware and code signing issues. If the checks are passed, the application is whitelisted and the Gatekeeper allows launching and installing it on the system without any problems.explain Apple developers.

Unfortunately, just like Bouncer (an automated security system that scans Android apps before uploading them to the Google Play Store), Apple’s app notarization process isn’t perfect either. Thus, in total, more than 40 notarized applications infected with the Shlayer Trojan and BundleCore adware have been detected.

Most often, Trojans of the Shlayer family download and install various adware applications on the user’s device. In addition, their functionality theoretically allows downloading programs that not only flood users with advertisements, but also spontaneously open advertising pages in browsers and replace search results in order to download even more advertising messages.told information security experts.

Now, researcher Joshua Long of Intego says that he has identified six more malicious applications that have successfully passed the notarization process.

All six found “products” pretended to be Flash installers, but in fact downloaded OSX/MacOffers adware onto victims’ machines, which, in particular, interferes with the operation of the search engine in the user’s browser.

Attackers deceived the notarization process

The expert writes that Apple revoked the developer’s certificate for these malwares before Intego specialists had time to finish their investigation. It is unclear how Apple discovered these applications: perhaps the company received a warning from another cybersecurity researcher, or someone from their affected Mac users notified the company of what was happening.

As Adobe, along with other companies, plans to permanently phase out Flash support in late 2020, Long has once again urged users to stop downloading Flash installers, which are usually malicious.

The post Attackers again deceived Apple’s notarization process appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/attackers-again-deceived-apples-notarization-process/feed/ 0 4478
Shlayer malware bypassed Apple security checks https://gridinsoft.com/blogs/shlayer-malware-bypassed-apple-security-checks/ https://gridinsoft.com/blogs/shlayer-malware-bypassed-apple-security-checks/#respond Tue, 01 Sep 2020 16:08:38 +0000 https://blog.gridinsoft.com/?p=4244 Security expert Peter Dantini discovered that the Shlayer malware bypassed Apple’s checks: it successfully passed the software notarization process and could run on any Mac running macOS Catalina and newer. In February of this year, Apple introduced a new security mechanism: any Mac software distributed outside the App Store must go through a notarization process… Continue reading Shlayer malware bypassed Apple security checks

The post Shlayer malware bypassed Apple security checks appeared first on Gridinsoft Blog.

]]>
Security expert Peter Dantini discovered that the Shlayer malware bypassed Apple’s checks: it successfully passed the software notarization process and could run on any Mac running macOS Catalina and newer.

In February of this year, Apple introduced a new security mechanism: any Mac software distributed outside the App Store must go through a notarization process in order to run on macOS Catalina and above.

“Basically, any software for the Mac now has to go through an automated scan at Apple for malware and code signing issues. If the checks are passed, the Gatekeeper allows the application to run on the system”, – explained Apple experts.

On Twitter, Peter Dantini writes that Apple’s automated checks do not seem to be very reliable. The researcher discovered that Shlayer malware installers were distributed through the malicious site Homebrew, which had passed the notarization (as usual, under the mask of updates for the Adobe Flash Player). Therefore, they could be run even on the latest macOS 11.0 Big Sur.

Dantini’s find was confirmed by another well-known expert, Patrick Wardle, who writes in a blog that he immediately notified Apple of the notarized malware, and the company revoked Shlayer’s certificates on the same day, August 28, 2020. This means that the Gatekeeper will now automatically block them.

Shlayer bypassed Apple checks

However, over the last August weekend, a researcher found that the Shlayer campaign was still picking up steam, with offering users new notarized payloads the same day Apple revoked the original certificates. World writes that the old and new payloads are almost identical – they contain OSX.Shlayer, also Bundlore adware.

“It is obvious that in the endless game of cat and mouse between malefactors and Apple, malefactors are still winning”, — concludes the expert.

According to Kaspersky Lab, Shlayer has been the most widespread threat for macOS for two years now: in 2019, every tenth user of the company’s security solutions encountered this malware at least once, and its share in relation to all detections on this OS is almost 30%.

The first copies of the Shlayer family fell into the hands of researchers back in February 2018. At the beginning of 2020, almost 32,000 different malicious Trojan samples were collected, and were identified 143 C&C domains.

Most often, Trojans of the Shlayer family download and install various adware applications on the user’s device. In addition, their functionality theoretically allows downloading programs that not only flood users with advertisements, but also spontaneously open advertising pages in browsers and replace search results in order to download even more advertising messages.

Let me also remind you that recently Google experts talked about vulnerabilities in Apple operating systems.

The post Shlayer malware bypassed Apple security checks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/shlayer-malware-bypassed-apple-security-checks/feed/ 0 4244