Infecting macOS via Macro-laden Documents
Patrick Wardle (also: Lorenzo Franceschi-Bicchierai):
Here, we’ll detail the creation of a powerful exploit chain that began with CVE-2019-1457, leveraged a new sandbox escape and ended with a full bypass of Apple’s stringent notarization requirements. Triggered by simply opening a malicious (macro-laced) Office document, no alerts, prompts, nor other user interactions were required in order to persistently infect even a fully-patched macOS Catalina system!
[…]
Though one could not longer create a launch agent (due to Microsoft’s patch), I discovered that macOS had no problem allowing malicious code running in the sandbox from creating a login item! Similar to launch agents, login items are automatically launched by macOS each time the user logs in …and run outside the sandbox[…]
See also: The Art Of Mac Malware (tweet).
Previously:
