This gives the malware the same access to cameras, mics, and screensharing that you already gave those trusted apps. The malware is basically using a trusted app as cover.įor example, the malware would attach itself to apps like Zoom or Slack by inserting code into the program. When the malware inserts its code into the application, a user's Mac will no longer ask permission to provide access. The malware simply has to attach itself to a trusted application. However, Jamf's zero-day exploit discovery (a zero-day exploit is a vulnerability not yet known of by the developers who can do something to patch it) found that the malware is able to work around those security settings by exploiting a security (Opens in a new tab) flaw (Opens in a new tab). This is how one can block malware posing as an application from accessing sensitive data on their Mac. But Apple confirmed to TechCrunch that it fixed the bug in macOS 11.4, which was made available as an update today.Usually, when an app wants to access a Mac's microphone, camera, or drive, it must first ask a user for permission. It’s not clear how many Macs the malware was able to infect using this technique. In other words, the bug could have been used to access the victim’s microphone, webcam or capture their keystrokes, such as passwords or credit card numbers. The researchers said that the malware used the permissions prompt bypass “specifically for the purpose of taking screenshots of the user’s desktop,” but warned that it was not limited to screen recording. Then, the malware signs the new app bundle with a new certificate to avoid getting flagged by macOS’ built-in security defenses. This allows the malicious code to “piggyback” the legitimate app and inherit its permissions across macOS. Jamf researchers Jaron Bradley, Ferdous Saljooki, and Stuart Ashenbrenner explained in a blog post, shared with TechCrunch, that the malware searches for other apps on the victim’s computer that are frequently granted screen-sharing permissions, like Zoom, WhatsApp and Slack, and injects malicious screen recording code into those apps. But the malware bypassed that permissions prompt by sneaking in under the radar by injecting malicious code into legitimate apps. MacOS is supposed to ask the user for permission before it allows any app - malicious or otherwise - to record the screen, access the microphone or webcam, or open the user’s storage. Once the malware is running on a victim’s computer, it uses two zero-days - one to steal cookies from the Safari browser to get access to a victim’s online accounts, and another to quietly install a development version of Safari, allowing the attackers to modify and snoop on virtually any website.īut Jamf says the malware was exploiting a previously undiscovered third zero-day in order to secretly take screenshots of the victim’s screen. By infecting those app development projects, developers unwittingly distribute the malware to their users, in what Trend Micro researchers described as a “supply-chain-like attack.” The malware is under continued development, with more recent variants also targeting Macs running the newer M1 chip. XCSSET was first discovered by Trend Micro in 2020 targeting Apple developers, specifically their Xcode projects that they use to code and build apps. Jamf says it found evidence that the XCSSET malware was exploiting a vulnerability that allowed it access to parts of macOS that require permission - such as accessing the microphone, webcam or recording the screen - without ever getting consent. Now, some of the same researchers say another malware can sneak onto macOS systems, thanks to another vulnerability. Almost exactly a month ago, researchers revealed a notorious malware family was exploiting a never-before-seen vulnerability that let it bypass macOS security defenses and run unimpeded.
0 Comments
Leave a Reply. |