Intego researchers have discovered new Mac malware that tricks users into bypassing the latest macOS security protections.
In macOS Catalina, Apple introduced new requirements for app signing. These Gatekeeper-based requirements make it difficult for users to open apps that have not been verified, causing malware writers to be more creative in their tactics to colonize users' computers.
For example, Intego researchers have discovered a new malware Trojan that spreads among computers via fake Google search results that trick users into disabling these protections themselves.
The malware appears as a disk image.dmg disguised as an Adobe Flash installer. But once mounted on user's computer, it prompts users to perform malicious software installation themselves.
Using a tactic Inter describe as "novel", the malware asks users to right-click and open the malware instead of double-clicking it. With the Gatekeeper settings in macOS Catalina, a dialog box appears with an "Open" button. Normally, when clicking on an unverified file, Apple doesn't allow users to open it that easily.
In fact, macOS discourages users from opening files from unverified apps, making the procedure more cumbersome. Specifically, it forces users to open System Preferences to override Gatekeeper. This strategy also prevents attackers from taking over an Apple developer account or hijacking an existing one.
Once users open the installer app, they run a bash shell script and extract a password protected .zip file containing a more conventional malicious package. Although it initially installs a legitimate version of Flash, Intego claims it can be used to download "any other malware or adware for Mac".
Fortunately, Adobe Flash will go down in history and this will make it more difficult for malicious people to find applications that need to be installed so widely.
In the meantime, this is the golden rule to follow: don't install Flash and refuse to visit or do business with websites that continue to use that technology.
