New Mac malware attacks users who don't keep Gatekeeper active

New Mac malware attacks users who don't keep Gatekeeper active

The threats to OS X macOS have proven to be increasingly dangerous, which is causing Apple to rethink and increase the protection offered by its native controls and thus continue to protect its users in a transparent manner. THE Gatekeeper It was a recent example that is being refined in the Sierra after controversies, and its use should not be discouraged: attacks against users who disable it are becoming easier to deceive.

Malware featured in MacUpdate

One of them, registered by Intego and named OSX / Eleanor, was loaded into a fake file-converting app that appeared (but has now been taken down) in well-known download software repositories, including MacUpdate (renowned by Apple users for years) ). BitDefender Labs has produced a complete analysis (PDF) of this malware, revealing its capabilities.

OSX / Eleanor is able to maintain a permanent entry point for various malicious purposes on the user's machine, including access to the operating system in administrative mode and image and sound captures. However, the application is not signed by Apple through its developer program; therefore, if the user keeps the Gatekeeper active on his Mac, the OS prevents it from running and alerts him.

Other antivirus utilities and XProtect itself, the native anti-malware for macOS, are already prepared to recognize this threat, but researchers call attention to the imminent possibility of the emergence of variants.

In addition, ESET, another antivirus software maker for various platforms, discovered malware capable of stealing credentials stored on Apple computers, being distributed with ZIP files over the internet. OOSX / Keydnap compressed in these files as an image or text document, but the analyzes conclude that it is an executable Mach-O, opened by the Terminal.

Malware disguised as JPG image

Even if the user sees the extension of the files after they have been extracted, he is able to deceive himself by being displayed as .jpg or .txt, but at first glance, he does not realize that they end up with a blank space. When opening for the first time, the malware requests administrative access and, when granted, installs itself in a privileged location on the computer, replacing its installer with a harmless file in the sequence. Evidence was found of the commands used by theKeydnappointing to the Tor network, where the affected user’s credentials are from websites or from their own machine are sent.

Although it is a different implementation from OSX / Eleanor and little used in development for macOS, Gatekeeper is able to identify it and inhibit its execution due to the lack of digital signature issued by Apple. During the WWDC and even in its documentation, the company reinforces on several occasions the importance of its developers making use of its subscription process for distribution, making it clear that they will become an agent in the near future, even if they do not aspire to the Mac App Store.

(via Cult of Mac, AppleInsider)