A brand new macOS exploit has been revealed by researchers. The exploit would allow remote installation of malware on the targeted system with the help of custom URL handlers in Safari. The researchers proved the attack in a demo. It should be noted that this attack this particular attack, though remote, requires some user interaction and it has proven successful against tech-savvy users, the researchers warned.
In their report, the security experts discuss “a remote attack that malware has been leveraging as a means to gain initial access to fully patched macOS systems”. When this first-stage attack is combined with flaws in macOS that allow malicious code to perform all various malicious activities, could create “an elegant, yet damaging attack against macOS”. Having said that, it shouldn’t be surprising that this attack has been described as “an offensive cyber-espionage campaign infects macs with a novel infection mechanism”.
WINDSHIFT APT macOS Exploit: Novel and Sophisticated
Researchers believe that the threat actors behind this attack are the so-called WINDSHIFT APT.
First of all, this is a somewhat obscure cyber espionage actor, who has been targeting individuals working at an undisclosed government. It appears that this obscure threat actor operates a sophisticated phishing infrastructure, and is able to carry out spear phishing attacks via email and SMS messages. This allows the attack to track his targets continuously during the reconnaissance phase, meanwhile deceiving his targets during the credentials harvesting phases through the impersonation of global and local platform providers, the researchers disclosed.
Furthermore, there are several things that distinguish WINDSHIFT APT from other similar threat groups. WINDSHIFT APT’s Modus Operandi is very hard to attribute. The group rarely engages targets with malware, although researchers were able to uncover the very few targeted attacks and to analyze the particular macOS malware which was used. But what stands out the most is that the threat actor uses unique macOS infection tricks that abuse the system’s native functionalities to automatically spread malware to targets.
As mentioned in the beginning, this group remotely installs macOS malware on targeted system through the help of custom URL handlers in Safari.
Furthermore, the attackers use “Do you want to allow” popups which are familiar to macOS users. As explained by security researcher Patrick Wardle, “these document handlers are frequently seen in use when clicking on an App Store link or PDF, which asks users for permission before opening the link or file in a registered app like the Mac App Store or Preview”.
Researchers highlighted that even though user interaction is required it is rather minimal and can be manipulated by the attacker. This method has proven successful as it already tricked government targets in the Middle East.
How is that possible? The researchers offered an explanation:
On macOS, applications can “advertise” that they can support (or ‘handle’) various document types and/or custom URL schemes. Think of it, as an application saying, “hey if a user tries to open a document of type foo or a url with a scheme of bar I got it!” You’ve surely encountered this on macOS. For example when you double click a .pdf document Preview.app is launched to handle the document. Or in a browser you click a link to an application which lives in the Mac App Store, the App Store.app is launched to process that request. Unfortunately the way Apple decided to implement (specifically, “register”) document handlers and custom URL schemes, leaves them ripe for abuse!
Custom URL handlers, and similarly document handlers, are basically a way for an application to notify the OS they are able to handle certain document types. For example, VLC advertises the ability to accept many different video formats, while Preview does the same for a wide array of different file types.
The shorter explanation of this macOS exploit would be the following:
The very first step requires the malware to be uploaded to a malicious site. When the target visits this website (most likely through a spearing phishing attack), the malicious .zip file is downloaded by macOS, and is then automatically unzipped. Here’s the moment to note that Apple allow files it sees as safe to be unzipped, including malware instances if the user has downloaded it via the Safari browser. After the file is unzipped, the malware can register its custom URL scheme handler with the file system.
Code in the malicious webpage can then load the custom URL, this way triggering macOS to look up the just installed URL handler and launch the malicious app. The tricky part is that developers are able to alter the application text and make it misleading. What does this mean? Instead of saying “Do you want to allow Safari to open the application”, it could say something like “Do you want to allow Safari to open Preview?”, the researchers explained.
While Safari does prompt the user to Cancel or Allow the operation to run, developers are able to change the application text to something designed to be misleading. Instead of saying “Do you want to allow Safari to open scary malware application?” it could say “Do you want to allow Safari to open Preview?” Finally the system would try to launch the malware which will already be in the victim’s downloads folder.
How to Prevent the WINDSHIFT APT macOS Exploit
There is one quite simple way to prevent this exploit, and it requires to turn off automatic unzipping of safe files. To do so, follow these steps:
Go to Preferences, navigate to Safari > General, and simply uncheck Open “safe” files after downloading.
It is safe to assume that Apple may be planning to automatically prevent files from unzipping by default in its forthcoming updates.
In the meantime, if you believe that your macOS is infected by malware, you can run a check and remove any discovered malware piece.