Malware looks like normal Apple files due to Bypass glitch
Hiding in plain sight as an official Apple system file, malware worms its way onto Macs. A recently discovered code-signing bypass flaw allows bad code to hide in plain sight. The way some developers have implemented Apple's code signing API can be exploited by hackers. Apple makes an API available to developers that want to create a security function that verifies Apple files are legitimate by making sure the file's code is signed. However, many developers have not used the API properly, so it created a vulnerability that allows for unsigned, malicious code to appear to be signed by Apple. The result is that malware can fool vulnerable security products and services into thinking that it's just another legitimate Apple file and it slips past their security checks and onto the machine. Many security products, some open-source projects and security functions used by Google, Facebook and Yelp are among those affected.
Code-signing uses public key infrastructure to digitally sign files and bits of code in order to mark it as trusted and vendor approved. Verifying those signatures is a key process at the center of whitelisting, antivirus, incident response and threat-hunting efforts. Researchers state that in macOS, code-signing focuses on Mach-O files, which target a specific native CPU architecture within the Mac ecosystem. The bypass involves a lack of code-signing verification for Mach-O files that are gathered into the Fat/ Universal file format. This vulnerability exists in the difference between how the Mach-O loader loads signed code, versus how improperly used code-signing APIs check signed code.
For this to work, the first Mach-O binary in the Fat / Universal file must be legitimately signed by Apple. Malicious binaries can then be appended and i386-compiled for an x86_64-bit target macOS. The legitimate file also has to have the CPU type in the Fat header set to a format that's invalid or not native to the platform. The Mach-O loader will skip over the validly signed Apple binary and execute the malicious code instead.
The code-signing API will check the first binary, the legitimate Apple file, but will not check the certificate authority root of trust for the malicious file, instead marking it as approved and verified. It doesn't require admin access nor JIT'ing code or memory corruption to bypass code-signing checks. All that is required is a properly formatted Fat / Universal file, and code-signing checks will return as valid. The code signing APIs contain flags that are supposed to ensure that all of these files are cryptographically signed. However, these APIs fall short by default, and third-party developers will need to segregate and verify each architecture in the Fat / Universal file and verify that the identities match and are cryptographically sound. Fixes are the developer's responsibility.
Known affected vendors and open-source projects have been notified and patches are available. These include Carbon Black, Facebook, F-Secure, Google, Objective Development, Objective-See, VirusTotal, and Yelp. More third-party security, forensics and incident response tools that use the official code-signing APIs are possibly affected.