Security researchers have discovered new macOS malware that’s built to steal your most sensitive data. Dubbed ‘Cthulhu Stealer,’ the malware targets users by impersonating popular apps so it can harvest your system password, iCloud Keychain passwords, cryptocurrency wallets, and more.
Expand Expanding Close
9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
Last week, Apple confirmed that users on macOS Sequoia will no longer be able to Control-click to override Gatekeeper to open software that isn’t signed or notarized by the company. This was a slight change with what I believe will have a significant impact. It also gives us a glimpse into what might happen behind the scenes at Apple as Mac malware gets more clever and the amount of it reach all-time highs.
Expand Expanding Close
A new piece of backdoor malware originally discovered on Windows has found a new home in macOS. Disguising itself as a legitimate Adobe Flash Player installer, the malware burrows into pre-existing macOS folders making it harder to spot. Having used a valid developer’s certificate, the malware was set to run free on macOS even with Gatekeeper enabled.
These certificates were created to help validate applications with Gatekeeper, but lately have been used to spread malicious software. This is the second reported malware incident in the past week using a valid certificate.
During Apple’s WWDC 2016 session What’s New in Security, the company shared two interesting changes to the way Gatekeeper works in macOS Sierra – one visible, one not.
The security researcher who identified a serious flaw in Apple’s Gatekeeper reports that the vulnerability remains despite two security patches applied by the company. Each, he says, only blocks the specific apps he used to demonstrate the method.
Gatekeeper in theory allows users to ensure that their Mac will only run apps downloaded from the Mac App Store – or alternatively, signed by a known developer if you opt for a lower level of protection. But Patrick Wardle last September found a major vulnerability in this protection which would allow any malicious app to be run no matter what Gatekeeper setting was chosen.
Wardle informed Apple, which issued a security patch in response, but Wardle has now reverse-engineered the patch and found that it provides only extremely limited protection …
A security researcher has found an extremely simple way to bypass Gatekeeper to allow Macs to open any malicious app, even when it is set to open only apps downloaded from the Mac App Store.
Patrick Wardle, director of research at security firm Synack, told arsTechnica that once Gatekeeper okays an approved app, it pays no more attention to what that app does. The approved app can then open malicious apps – which Gatekeeper doesn’t check.
Wardle has found a widely available binary that’s already signed by Apple. Once executed, the file runs a separate app located in the same folder as the first one […] His exploit works by renaming Binary A but otherwise making no other changes to it. [He then] swaps out the legitimate Binary B with a malicious one and bundles it in the same disk image under the same file name. Binary B needs no digital certificate to run, so it can install anything the attacker wants …
Yesterday there were a few claims going around that Apple’s recent change to Gatekeeper app signing for developers was the result of a Dev Center security breach. TUAW reported yesterday on a few random tweets and others picked up the story. As you’d probably expect, we have some good news: It’s not true…
Expand
Expanding
Close
Update: Macworld and The Verge report that Apple will actually not begin rejecting apps that utilize hotkeys.
According to a report from TUAW, Apple will soon begin rejecting OS X apps submitted to the Mac App Store that utilize hotkey functionality. The report does not cite a specific source, and app developers we have talked to seem to be unaware of the change. TUAW claimed Apple will only allow existing “hotkey apps”, and those released before June 1, to issue future bug fixes. New apps and existing apps that are releasing updates with new features will apparently not be permitted to use hotkeys:
TUAW has been told that Apple will be rejecting all apps with hotkey functionality starting June 1, regardless of whether the new features are hotkey related or not. Basically, if you’re developing one of those apps, an app that assumes you can still add hotkeys, don’t bother submitting it to the Mac App Store.
The June 1 deadline lines up with the latest deadline Apple set for sandboxing Mac App Store apps, which is a new requirement that limits an app’s access to certain areas of the operating system. Apple is pushing sandboxing as “a great way to protect systems and users by limiting the resources apps can access and making it more difficult for malicious software to compromise users’ systems.” It appears it will also prevent apps from using hotkeys.
