Snynet Solution Logo
MON - SUN: 10 AM - 6 PM
+60 11 5624 8319


Hackers abused a macOS security hole to infect users via poisoned search results

Image Description

If you haven't updated to the latest version of macOS yet, now is the time to do so as security researchers have identified a new campaign that uses fake application bundles to install malware on the Macs of unsuspecting users.

In a recent blog post, the mac malware specialists at Objective-See described an exploit that could allow an attacker to create a fake application bundle using a script as the primary executable in order to bypass File Quarantine, Gatekeeper and Notarization on macOS. 

While this exploit only works on versions of macOS before 11.3, the detections team at Jamf Protect has observed this exploit being used in the wild by a variant of the Shlayer malware used to drop adware. This new variant has also been repackaged to use a format necessary for carrying out the Gatekeeper bypass vulnerability.

One of the ways in which this campaign is spread is via poisoned search results. Cybercriminals often create fake webpages and hijack the results of search engines in order to spread malware and other viruses. This is why users must remain vigilant online even when using a legitimate search engine like Google.

Abusing Gatekeeper bypass

In order to abuse this vulnerability, an attacker would need to craft an application bundle using a script as the main executable and not create an Info.plist file. This application would then need to be placed into a dmg file for distribution. When the dmg is mounted and double clicked, the combination of a script-based application with no Info.plist file executes without any quarantine, signature or notarization verification.

Updating your Mac to the latest version of macOS is the easiest way to prevent falling victim to any attacks launched using this method as this vulnerability was patched with the release of macOS version 11.3 earlier today. If a user tries to execute the Shlayer malware on a patched version of macOS, they will see a pop-up which says that the software “cannot be opened because the developer cannot be identified”.

While macOS users running the latest version of Apple's operating system are protected for now, the detections team at Jamf Protect makes the point in a new blog post that “Shlayer continues to reintroduce itself with innovative ways to infect macOS-based systems”.

As Macs have become more prevalent in the workplace as business laptops, cybercriminals have taken notice and they are now actively developing Mac malware to infect even more users.


27 Apr 2021



Other Blog

  • InMotion Hosting snaps up RamNode

    News of the acquisition has been confirmed by InMotion Hosting’s CEO.

    Read More
  • Microsoft Teams, OneDrive users will soon be able to upload whopping great files

    Microsoft is set to more than double the maximum file size limit for OneDrive and Teams.

    Read More
  • Govt serves an ultimatum: Is time running out for Twitter in India?

    Indian government’s standoff with Twitter continues, with the former giving it one “final chance” to comply with the intermediary guidelines. Twitter has also been warned of “unintended consequences” for failing to do so.

    Read More
  • WhatsApp goes on the privacy offensive after user criticism

    Facebook-owned refused to bow to government pressure to reduce encryption

    Read More

Find Out More About Us

Want to hire best people for your project? Look no further you came to the right place!

Contact Us