This is exactly what I meant in the other topic, even on the iOS and macOS you might still get hit with zero day malware if you are unlucky enough to be tricked into opening certain files.
And here is another example of how people may get tricked into running malware on the macOS and there is no guarantee that built-in protection would stop it. Apparently, hackers have spreaded fake versions of the iTerm2 app via malicious sponsored links on Baidu. https://www.cyclonis.com/fake-iterm2-website-spreads-the-osx-zuru-malware/
Apparently that rogue version of iTerm2 was not notarized; wouldn't users get a warning when trying to execute this software?
I'm not an expert on macOS security, but if Apple had to revoke the certificate on 15 september 2021, then I'm guessing that it would have been able to run freely before they decided to take action?
My faith in some of Apple's macOS security precautions continue to erode. Sigh... On the average, I use the terminal emulator replacement, iTerm2 for macOS Mojave (and above), about a half-dozen times per day. I originally installed, and keep it automatically updated, with the Homebrew package manager. I feel like I have unknowingly avoided a bullet! BTW, the official iTerm2 for macOS .zip archive file seems to be notarized (H7V7XYVQ7D) okay from George Nachman's https://iterm2.com server and the present build is 3.4.10. FWIW - iTerm2-3_4_10.zip SHA-256 hash: 40a62193582dd7c54e6f27e509bdb887ec864513b53d4003763d9e167e44a921 HTH
Well, in this particular case they tried to lure you into some fake site, so it wasn't a true supply chain attack. So people who remain cautious wouldn't have fallen for this, but you can always have a bad day, so it's still tricky stuff. But the key is that it's able to bypass built-in macOS protection.
"not detected as malicious on VirusTotal", so (most?) third-party antivirus software would not have helped either...
Thanks for that article. I especially liked learning the handy way to validate the notarization status of an app via the command line...
Hello @Alec Your spctl command line solution is terrific for onesies and twosies. To ease the burden of verifying all executables in a directory, (e.g.~/Application), I have found that the notarized Signet v1.3 utility from The Eclectic Light Company is a good yet thorough time saver and can save its output in a .text file for later perusal. FWIW - Although likely harmless, I have deleted some years old un-notarized apps I had forgotten about. @Rasheed187 Yes. Somewhere along the line, Mac's Gatekeeper needs an upgrade to catch that fake iTerm2 type of malware. and Mac's Gatekeeper Compatibility Data has not been updated since November, 2020. Cheers
It depends a bit, they would have failed to spot it via signatures, but via behavior blocking they may still have blocked it post-execution. That's why it's a pity that there are so few behavior blocking tools for the Mac. I guess the market simply isn't big enough, because I always wondered SpyShelter was never launched for the macOS. OK thanks for confirming this.
Another day, another zero day for iOS and macOS. And it's even being actively exploited according to both Google and Apple, so it's not just theory. It's a zero day in the OS kernel combined with a flaw in the WebKit engine from Safari to get malware up and running with full system privileges. https://www.helpnetsecurity.com/2021/09/24/cve-2021-30869/
Unless someone can otherwise decipher the updates, Malwarebytes released DTBS 4.0.561 for Malwarebytes for Mac on 23-September-2021 and Apple has quietly released XProtectPlistConfigData: 2151 2021-09-24. One might hope these are quite helpful. HTH