CVE-2021-30657: a malicious application may bypass Gatekeeper checks
Some cybersecurity researchers have discovered that criminals use fake application bundles to plant malware on Macs. Recently, a Mac malware researcher stated that hackers can create a fake application bundle by using a script as the preferred executable item to bypass security measures (CVE-2021-30657) such as file isolation, Gatekeeper, and Notarization mechanisms.
Although this vulnerability can only take effect in versions prior to macOS 11.3, a network security research team has discovered that hackers have recently used this vulnerability to spread malware in conjunction with one of the variants of the malware Shlayer.
Specifically, to exploit this vulnerability, hackers need to use scripts to create an application bundle instead of an Info.plist document. After that, the application must be placed in a dmg file before it can be distributed. When the dmg file is mounted and double-clicked by the mouse, the script-based application without the Info.plist file will be executed without isolation, signature, or notarization.
Hackers usually use infected or poisoned search results to spread this malware. Hackers often create fake web pages and hijack the search results of search engines to trick victims into downloading malware or other viruses.
If Mac users want to prevent this malware, updating and upgrading macOS is the easiest, direct and effective way, because the recently released macOS 11.3 has patched this vulnerability. After upgrading macOS, if a user tries to execute Shlayer malware, a Mac will pop up a window stating that it “cannot be opened because the developer cannot be verified.”
However, network security researchers also said that although the vulnerability has been blocked this time, Shlayer is still constantly updated, and other methods may be found in the future to invade macOS, so users still need to be careful.