With the introduction of macOS Catalina, Apple added a new form of app notarization requirements. Notarization is the official fraud-deterrent process that reassures the parties of a transaction that a document or object is authentic and can be trusted. The company Intego found a Trojan Malware that bypasses the new security by tampering with the Gatekeeper and tricking the user in an unorthodox way.
The Trojan is an updated version of the Shlayer malware, commonly encountered on Mac machines, and it is delivered as a Trojan horse application on a .dmg disk image, disguised as an Adobe Flash Player installer. After the deceptive Flash Player installer is downloaded and opened on the user machine, the disk image will mount and display directions on how to install it. The instructions tell users to first ‘right-click’ on ‘flashInstaller’ and select Open, and click Open in the resulting dialog box.
Intego
This sequence of events will lead to an infected machine, following the installation guide will allow the ‘installer app’ to execute on the host system, in essence, running a script that self-embeds and collects data.
According to Intego, if the script runs, it extracts a self-embedded, password-protected .zip archive file, which contains a traditional, although malicious, Mac .app bundle. After installing the Mac app into a hidden temporary folder, the script launches the Mac app and quits the Terminal. All this takes a split second to execute.
Once the app is in your system and it launches, it downloads an Adobe-signed Flash Player installer, so that it can appear to be genuine. Unknown to the user, this app is designed to have the capability to download any other Mac malware or adware package, at the discretion of those controlling the servers, to which the hidden Mac app phones home.
“While searching Google for the exact titles of YouTube videos, Intego’s research team encountered Google search results that, when clicked, pass through multiple redirection sites and end up on a page that claims the visitor’s Flash Player is out of date, and displays deceptive warnings and fake dialog boxes to entice the victim to download a supposed Flash Player updater—which is, in fact, a Trojan horse.”
Intego when asked; Is this malware in the wild? How does it spread?
Follow TechTheLead on Google News to get the news first.