Home » New Mac Malware Uses ‘novel’ Tactic To Bypass macOS Catalina Security
Cyber Attack

New Mac Malware Uses ‘novel’ Tactic To Bypass macOS Catalina Security

New Mac Malware Uses 'novel' Tactic To Bypass macOS Catalina Security
New Mac Malware Uses 'novel' Tactic To Bypass macOS Catalina Security

New Mac Malware Uses ‘novel’ Tactic To Bypass macOS Catalina Security

Intego-an antivirus firm discovers new Mac malware uses tactics “novel” to bypass the app security of the modern MacOS Catalina.

As a result, a new Trojan horse is found to be spreading actively via Google Search results. It tricks users to escape the app notarization feature of the Gatekeeper.

Beware Of “Flash Player is out of date” Warnings

As per the Intego, the malware imitates to be a Adobe Flash installer that is delivered as a “.dmg” disk image. The malware is spreading via Google search results which upon clicking redirects to malicious pages showing “Flash Player is out of date” warning.

Adobe Flash Player is out of Date Novel tactics
Adobe Flash Player is out of Date Novel tactics (Source: Intego)

So, if users click on the “update” button, the compromised “.dmg” file gets downloaded on the system. Opening the file, it further instructs users to install the malicious program.

New Mac Malware Uses ‘novel’ Tactic

The new versions of the macOS Catalina, requires the app notarization. Apple has introduced this feature to the Gatekeeper to disallow users to open applications from any unverified sources. Thus, requiring the malware creators to get increasingly innovative with their strategies.

macos-catalina-alert When unverfied app tries to open
Macos Catalina Alert When Unverified App Tries to Open (Image Credit Intego)

As per the Intego, the new malware tactics “novel,” asks the users to right-click on the file to open it, instead of double-clicking on it.

Thus, the macOS Catalina Gatekeeper settings, then displays a dialogue box with an “Open” button. However, while double-clicking an unverified file, Apple restricts users from opening the malicious file or app.

Malicious app asks users to right-click and open the file. This allows users to run apps from unverified sources with ease
Malicious app asks users to right-click and open the file. This allows users to run apps from unverified sources with ease. (Image Credit: Intego)

Consequently, it directly gets to the System Preferences overriding the Gatekeeper security. Unfortunately, this tactic also saves the bad actors from Apple Developer account sign up process as well as hijacking the existing one.

Once the user opens the alleged app installer, it quickly runs a bash shell script to extract a “.zip” file that is protected with a password. The Zipped file may contain additional Mac malware bundles.

However, Intego says that the malicious app bundle initially installs a legitimate version of Flash. But later it can also download other traditional Mac malware or adware programs.

According to Intego, the malware may contain new variants of some persistent macOS Trojans like Shlayer or Bundlore. Adding more to it, it says the malware is being able to avoid detection from the anti-virus programs.

How Can You Get Infected

Since the “outdated Flash” strategy to spread malware is one of the successful ones, thus the rate of infection stands to 1 in every 10 Mac users for the Shlayer Trojan.

The malware campaign uses Google search results to spread the malware, when the user searches for YouTube videos with exact titles.

Although, the Adobe Flash player will be completely shut down on Dec. 31, 2020, but still users need to be careful of such “novel tactics”.

How To Stay Safe

  • Users should avoid clicking on unsafe links. Also, users should immediately close the pages asking to download unknown programs.
  • Some of the “outdated Flash” tactics may encourage users to install files like flashInstaller.dmv; a FlashInstaller.zip file or “Installer.”
  • Beware of domains spreading the malware like youdontcare.com, display.monster, yougotupdated.com and installerapi.com. According to Intego, these domains may be associated with the malware campaign. The researchers say, any user traffic to such domains “should be considered a possible sign of an infection“.
  • Apart from that, include a powerful anti-virus tool, to scan and detect Trojan or Adware bundles on the Mac OS.

To Protect Your Mac Download Combocleaner 

Combo Cleaners LogoCombo Cleaner DOWNLOAD LINK
(The above link will open a new page from where the Combo Cleaner will download)
Combo Cleaner Review And Full Installation Guide

About the author

UnboxHow Team

If you have come this far, it means that you liked what you are reading. Why not reach little more and connect with us directly on Google Plus, Facebook or Twitter. We would love to hear your thoughts and opinions on our articles directly.

Add Comment

Click here to post a comment