The majority of Mac infections are "user-assisted", which Apple combats via:
✅Notarization
✅Gatekeeper
✅File Quarantine
...these have proven problematic for attackers
But oops, this bug sidesteps all, allowing unsigned (unnotarized) items to be launched ...with no alerts!😭
In this blog post, we dig deep into the bowels of macOS to uncover the root cause of the bug.
Turns out a subtle (logic) flaw in the policy subsystem is to blame!
In collaboration w/ @JamfSoftware, we uncovered the fact that attackers were *already* exploiting this flaw successfully as an 0day 😱
Shortly, they'll be posting more about their findings & analysis: "Shlayer Malware Abusing Gatekeeper Bypass On Macos": jamf.com/blog/shlayer-m…
Reversing Apple's patch in macOS 11.3, we find in the system policy engine, (as expected), an improved bundle detection algorithm.
This appears to (adequately?) address the flaw 🙌
Far before Apple's patch, BlockBlock (objective-see.com/products/block…) with “Notarized Mode” enabled, would generically detect and thwart this 0day attack! 🔥
BlockBlock is 100% free and 100% open-source 🔥🔥
Also releasing a simple (PoC) Python script that queries and parses macOS's undocumented ExecPolicy database to proactively uncovered exploitations! 👀
Q: Can our free open-source tools protect you ...with no a priori knowledge of this insidious threat?
When the malicious script in the infected Xcode project is executed and attempts to connect to the attacker's remote C&C server for tasking (via /bin/bash), LuLu will intercept this, and alert you:
If we allow the malicious payload (EggShell), to be downloaded from the server ....when it attempts to persistently install itself as a Launch Agent, BlockBlock will alert you: