Hackers have been exploiting ‘dangerous’ MacOS bug to run malware campaign

Apple's grappling with another flaw.
Apple Mac
(Chesnot/Getty Images)

Apple has been working for years to protect users from bad applications and developers seeking to exploit unsuspecting users and target them with malware. But hackers recently found a workaround that circumvents even the latest MacOS protections and have been exploiting the flaw, according to researchers.

Apple released MacOS Big Sur 11.3 Monday, an update which contains a security update meant to fix the issue, an Apple spokesperson told CyberScoop. Security researcher Cedric Owens originally found the problem, present in MacOS Catalina 10.15 and MacOS Big Sur, in March. Security researcher Patrick Wardle — who also investigated the flaw — said it allowed hackers to get past Apple’s various methods of keeping bad code from users, such as Gatekeeper, File Quarantine or its application notarization review process.

All users had to do was double click when presented with a seemingly benign document, a .dmg file, and the hackers then could have remote access to victims’ machines, Owens wrote to CyberScoop.

This “is the most dangerous macOS phishing payload that I have encountered to date given that the victim has only to: 1. extract the .dmg or .zip file, and 2. double click the payload,” Owens said. “Gatekeeper and other macOS security mechanisms did not alert the user and so there is no indication of malware infection.”


Wardle told CyberScoop that “it has the potential to be the most impactful bug to everyday macOS users.”

The issue existed due to a logic bug that made it so hackers could target users with malicious applications that bypass Apple’s efforts to block bad applications, according to Wardle. The issue made it so malicious applications would be mischaracterized and hit users without any alerts that a bad app had infiltrated victims’ machines, Wardle said in a blog about the research Monday.

Despite all of Apple’s work to protect users from malware, the workaround put macOS users back to security levels present in approximately 2007, Wardle said.

“Basically macOS security (in the context of evaluating user launched applications, which recall, accounts for the vast majority of macOS infections) was made wholly moot,” Wardle wrote in the blog.

Hackers already took note in recent months of the issue and have been running a campaign targeting MacOS users with a version of Shlayer malware, security researchers at Jamf revealed in a blog published Monday. The hackers have been using the vulnerability — packaging their malware as an application that is unnotarized and unsigned to bypass the protections — since at least January, according to Jamf.


The update, however, should now make it so that untrusted and uncategorized applications will be blocked.

“Though this bug is now patched, it clearly (yet again) illustrates that macOS is not impervious to incredibl[y] shallow, yet hugely impactful flaws,” Wardle said.

It’s just the latest issue that Apple has had to grapple with in the last several weeks. Earlier this month researchers revealed they found a flaw that was leaking email addresses from Apple’s AirDrop.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts