New Mac Malware Uses ‘novel’ Tactic To Bypass macOS Catalina Security
Intego-an antivirus firm discovers new Mac malware uses tactics “novel” to bypass the app security of the modern MacOS Catalina.
As a result, a new Trojan horse is found to be spreading actively via Google Search results. It tricks users to escape the app notarization feature of the Gatekeeper.
Beware Of “Flash Player is out of date” Warnings
As per the Intego, the malware imitates to be a Adobe Flash installer that is delivered as a “.dmg” disk image. The malware is spreading via Google search results which upon clicking redirects to malicious pages showing “Flash Player is out of date” warning.
So, if users click on the “update” button, the compromised “.dmg” file gets downloaded on the system. Opening the file, it further instructs users to install the malicious program.
New Mac Malware Uses ‘novel’ Tactic
The new versions of the macOS Catalina, requires the app notarization. Apple has introduced this feature to the Gatekeeper to disallow users to open applications from any unverified sources. Thus, requiring the malware creators to get increasingly innovative with their strategies.
As per the Intego, the new malware tactics “novel,” asks the users to right-click on the file to open it, instead of double-clicking on it.
Thus, the macOS Catalina Gatekeeper settings, then displays a dialogue box with an “Open” button. However, while double-clicking an unverified file, Apple restricts users from opening the malicious file or app.
Consequently, it directly gets to the System Preferences overriding the Gatekeeper security. Unfortunately, this tactic also saves the bad actors from Apple Developer account sign up process as well as hijacking the existing one.
Once the user opens the alleged app installer, it quickly runs a bash shell script to extract a “.zip” file that is protected with a password. The Zipped file may contain additional Mac malware bundles.
However, Intego says that the malicious app bundle initially installs a legitimate version of Flash. But later it can also download other traditional Mac malware or adware programs.
According to Intego, the malware may contain new variants of some persistent macOS Trojans like Shlayer or Bundlore. Adding more to it, it says the malware is being able to avoid detection from the anti-virus programs.
How Can You Get Infected
Since the “outdated Flash” strategy to spread malware is one of the successful ones, thus the rate of infection stands to 1 in every 10 Mac users for the Shlayer Trojan.
The malware campaign uses Google search results to spread the malware, when the user searches for YouTube videos with exact titles.
Although, the Adobe Flash player will be completely shut down on Dec. 31, 2020, but still users need to be careful of such “novel tactics”.
How To Stay Safe
- Users should avoid clicking on unsafe links. Also, users should immediately close the pages asking to download unknown programs.
- Some of the “outdated Flash” tactics may encourage users to install files like flashInstaller.dmv; a FlashInstaller.zip file or “Installer.”
- Beware of domains spreading the malware like youdontcare.com, display.monster, yougotupdated.com and installerapi.com. According to Intego, these domains may be associated with the malware campaign. The researchers say, any user traffic to such domains “should be considered a possible sign of an infection“.
- Apart from that, include a powerful anti-virus tool, to scan and detect Trojan or Adware bundles on the Mac OS.
To Protect Your Mac Download Combocleaner