![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/10\/notarized-malware-again-600x300-1.png\")
<\/p>\n<\/p>\n
For the second time in six weeks, Apple has been caught notarizing Mac malware.<\/p>\n
Intego previously reported<\/a> that Apple inadvertently notarized more than 40 malware samples in August.<\/p>\n This time, rather than the notarized malware belonging to the OSX\/Shlayer and OSX\/Bundlore families, the latest malware is from the\u00a0OSX\/MacOffers<\/strong> (aka MaxOfferDeal) family.<\/p>\n All of the half-dozen samples of Trojan disk image (.dmg) files, as well as the malware’s first-stage Trojan application, had a 0% detection rate on VirusTotal<\/strong> when they were first uploaded between October 6 and 13. Meanwhile, a sample of the second-stage malicious payload was only detected by 4 out of 60 antivirus engines<\/strong> on VirusTotal as of October 12.<\/p>\n The new malware uses a technique called steganography to hide its malicious payload within a separate JPEG image file, which is likely why the malware was able to slip past Apple’s notarization process.<\/p>\n Mac software developers submit apps to the Apple notary service, and Apple runs automated scans to check for malicious content. If the software appears to be malware-free, then Apple automatically notarizes it.<\/p>\n When Apple notarizes an app, it’s much easier for users to run the app on macOS Mojave, macOS Catalina, and the upcoming macOS Big Sur. (One can double-click on a notarized app to open it. However, one must control-click or right-click to open non-notarized apps.)<\/p>\n Therefore, there’s a significantly higher chance that victims will install Trojan horse malware that has sneaked through Apple’s notarization process undetected.<\/p>\n The discovery of this malware marks the second time that Apple is known to have notarized Mac malware samples; the first known incident<\/a> was discovered several weeks earlier, in late August.<\/p>\n Steganography is the ancient technique of stealthily hiding secret information inside something in plain sight. In this case, the application bundle found on the disk image contains a JPEG graphic file that seems innocuous to the naked eye. However, the JPEG contains a Base64-encoded .zip archive file that contains another malicious app.<\/p>\n A JPEG image file within the app bundle steganographically hides a malicious payload.<\/p><\/div>\n We’ve observed steganography used before in Mac malware. Notable examples include the VeryMal<\/a> Shlayer campaign in 2019 and the MacDefender<\/a> fake antivirus family in 2011.<\/p>\n This latest malware threat has been observed in the wild.<\/p>\n Mac malware researcher Matt Muir discovered the first sample while hunting for malware amongst cracked software.<\/p>\n “Cracked software” refers to software that has been modified to remove registration requirements or other restrictions that limit software functionality. Malware makers sometimes try to exploit the na\u00efvet\u00e9 of people who seek to obtain commercial software without paying for it.<\/p>\n See also:<\/em><\/p>\n Why BitTorrent Sites Are a Malware Cesspool<\/a><\/p><\/blockquote>\nWhy is\u00a0notarized malware noteworthy?<\/h3>\n
How does this malware use steganography?<\/h3>\n
![\"Steganographic](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/10\/steganographic-osx-macoffers-maxofferdeal-jpeg.png\")
How was the malware distributed?<\/h3>\n