Jamf Blog
April 26, 2021 by Jaron Bradley

Shlayer malware abusing Gatekeeper bypass on macOS

Shlayer malware detected allows an attacker to bypass Gatekeeper, Notarization and File Quarantine security technologies in macOS. The exploit allows unapproved software to run on Mac and is distributed via compromised websites or poisoned search engine results.

In a recent blog post, Objective-See covered that prior to macOS 11.3, an attacker could craft a fake application bundle using a script as the primary executable allowing them to bypass File Quarantine, Gatekeeper and Notarization on the macOS platform. All of which are technologies in place to prevent unapproved software from running on macOS.

To make the situation more urgent, the Jamf Protect detections team observed this exploit being used in the wild by a variant of the Shlayer adware dropper. The variant observed has strong ties to a sample previously written about by Intego Security. In fact, both malware samples are nearly identical. The major difference, in this case, is that the variant has been repackaged to use a format necessary for carrying out the Gatekeeper bypass vulnerability. The Jamf Protect detection team identified samples found to be abusing this vulnerability as early as January 9th, 2021.

The details behind how the vulnerability can be abused by attackers are:

  1. An attacker manually crafts an application bundle by using a script as the main executable. (example:myapplication.app/Contents/MacOS/myapplication where “myapplication” is a bash script). For this to work, the script name must match the application name and they must not create an Info.plist file.
  2. The application can then be placed in a dmg for distribution.
  3. When the dmg is mounted and the application is double-clicked, the combination of a script-based application with no Info.plist file executes without any quarantine, signature or notarization verification. This will work on any system running macOS versions 10.15 to 11.2.

Previous variants of this malware are known to spread via poisoned search engine results - this variant is no exception. This is an approach where the malicious actors spreading the malware create web pages with content tailored to appear in search results for common queries or hijack legitimate websites without the knowledge of the owner. Since most search engines automate the indexing and ranking, this leads to them inadvertently publishing links to the malicious or hijacked sites hosting malware. In a real-world example, users could potentially stumble upon malware when searching for any commonly used terms. This is an example of a user searching for “Alexa and Disney” on Google Search in April 2021.

Screenshot of Google results when searching “alexa and disney” taken by Jamf on April 12, 2021.

Screenshot of Google results when searching “alexa and disney” taken by Jamf on April 12, 2021.

By clicking on a compromised result, in this case, the highlighted link above, the user is redirected to a new webpage asking them to download an unsolicited software application that looks similar to a real alert to update out-of-date software. This of course is not something specific to Amazon, Disney, or Google, but rather malicious actors abusing search engine indexing and/or compromising web pages.

Screenshot of fake installer taken by Jamf on April 12, 2021. Adobe Flash Player reached End of Life on 12/31/2020

Screenshot of fake installer taken by Jamf on April 12, 2021. Adobe Flash Player reached End of Life on 12/31/2020

An older variant of the Shlayer malware would deliver a dmg file that held a system link to a shell script. This shell script would have an installer logo attached to it, providing to the user the appearance of legitimacy. The mounted dmg also provided instructions to right-click the file and select “Open”, in an attempt to convince the user to install the malicious application. And while executing the file in this manner is allowed by Apple’s design, a consequence of this method allows applications - both trusted and malicious - to be opened while bypassing Gatekeeper’s checks altogether, leading in this instance to infecting the Mac.

The old variant of Shlayer attempting to convince a user to right click and open the malware

The old variant of Shlayer attempting to convince a user to right-click and open the malware.

This new variant found no longer requires the right-click method since the malware comes packaged in the format required to abuse CVE-2021-30657.

The new Gatekeeper bypass step-by-step

After mounting the dmg and opening the installer, the user is displayed the following application:

Shlayer malware installation prompt.

In further investigating of the application’s layout, more detail is revealed.

File structure of the DMG installer for the malicious application.

The image displayed to the user after mounting the DMG appears to be the “Install” file. In actuality, it is just a system link that points to the 1302.app application bundle, or the malicious application itself. By double-clicking the “Install” image in Figure C, the system actually executes the 1302.app, where 1302.app/Contents/MacOS/1302 is just a bash script.

File path displayed in Terminal displaying the script to be executed.

Due to the file path layout in which this script is set up, double-clicking the install icon executes the script held within 1302.app and bypasses the checks performed by Gatekeeper, described in further detail in CVE-2021-30657.

Interested in seeing how Jamf protects your devices from this and other malware?

Additional malware behaviors

As mentioned previously, the contents of the bash script itself have been seen in variants of this malware before. The script begins by invoking the “mktemp -t Installer” command to create a unique filename. In this case,“Installer.XXXXXXXX” is created in a temporary directory. The trailing “X’s” in the filename are automatically generated using the current process number and/or a letter combination unique to this file instance.

Truncated Output of Bash Script Contained Within 1302.app

Truncated Output of Bash Script Contained Within 1302.app

In a clever attempt to mask its presence from detection, the malware hides a zipped executable at the bottom of the script itself, as seen above in Figure E.

A secondary command, “tail -c 58853 $0 | funzip -1uD9jgw > ${TEMP_NAME}” performs the following actions:

Tail - Take the last 58853 bytes of the running script.

Funzip - Treat those bytes as a zip file and unzip it using the supplied password.

>${TEMP_NAME} - Write the newly unzipped file to the disk at the aforementioned temp file location.

The unzipped executable file is invoked with the command “nohup,” which instructs the process to ignore any HUP, or hangup signals. This is often used by attackers to run programs in the background. The final unzipped payload is a sample of the Bundlore adware, but this final payload may vary across different Shlayer samples.

Patched by Apple

Apple has patched this vulnerability in the 11.3 version of macOS. When this same malware is executed on a patched version of macOS, the user will see a pop-up message stating that the software “cannot be opened because the developer cannot be identified.” Since the malicious application is not notarized or signed with a valid developer’s certificate, the message will prompt the user to eject the mounted DMG containing the app bundle.

Installation prompt attempt blocked by updated macOS version 11.3 and later.

Conclusion

Shlayer continues to reintroduce itself with innovative ways to infect macOS-based systems. Jamf Protect provides behavioral analytics to detect built-in scripting languages being executed as though they are app bundles. This should help users discover malware abusing this technique on Mac computers running macOS versions prior to 11.3, as well as other suspicious applications. Jamf Protect defends against known malware samples of Shlayer, including the adware variants that it drops. Jamf recommends users “patch fast and patch often” to keep their Mac up-to-date by upgrading macOS to versions 11.3, which is available now through the Mac App Store and provides the latest protection against the vulnerabilities discussed in this article.

Indicators of Compromise

Files Hashes:

  • AdobeFlashPlayer.dmg → 55869270ed20956e5c3e5533fb4472e4eb533dc2
  • 1302.app/Contents/MacOS/1302 → 085a136c03f8b024a173068768c67b1a5ad928c1
  • Bundlore Dropped Executable → 20ac95c44549710a434902267394525333e96c0b

Domains Serving Malware:

  • hxxps://supportversion[.]yourlinkforplaceforupgrading[.]info

Protect your environment today

Additional coverage of this and Apple's bug bounty program may be found at The Washington Post.

Jaron Bradley
Other authors:
Stuart Ashenbrenner Ferdous Saljooki
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.