Security researcher Patrick Wardle is out with a close look at a how macOS users can be remotely targeted using document handlers and custom URL schemes – which is behind the “Do you want to allow” popup seen in the above screenshot.
Wardle explains how a custom APT abuses URL schemes to remotely infect macOS targets
On macOS, applications can “advertise” that they can support (or ‘handle’) various document types and/or custom URL schemes. Think of it, as an application saying, “hey if a user tries to open a document of type foo or a url with a scheme of bar I got it!”
You’ve surely encountered this on macOS. For example when you double click a .pdf document Preview.app is launched to handle the document. Or in a browser you click a link to an application which lives in the Mac App Store, the App Store.app is launched to process that request.
Wardle dives deeper into how these schemes are setup from a development point of view, then goes on to examine how custom URL schemes can be used to remotely target Mac users.
It starts with a user visiting a malicious website where a .zip file is automatically downloaded, as Apple allows automatic downloads and unzipping of “safe” files. This zip contains the malicious application in question. From there, the custom URL scheme is registered:
Once the target is visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application. If the Mac user is using Safari, the achieve will be automatically unzipped, as Apple thinks it’s wise to automatically open “safe” files. This fact is paramount, as it means the malicious application (vs. just a compressed zip archive) will now be on the user’s filesystem, which will trigger the registration of any custom URL scheme handlers! Thanks Apple!
This is when Safari will prompt users if they want to allow the webpage in question to open the application responsible for handling that URL scheme. In this instance, the application is the malicious one just downloaded. While Safari does ask the user to “Allow” or “Cancel” this, the text of the prompt is controlled by the attacker – meaning it can be easily deceiving.
Behind the scenes macOS will lookup the handler for this custom URL scheme -which of course is our malicious application (that was just downloaded). Once this lookup is complete, the OS will kindly attempt to launch the malicious application to handle the URL request!
However the characters between the quotation marks are attacker controlled, as they are the name of the application Thus, we can easily make this popup look rather mundane, unintimidating, or even amusing.
File Quarantine will also ask the user for confirmation, but again, the name of the application is controlled by the developer.
The obvious thought here is why GateKeeper would allow the download in the first place. Wardle explains that GateKeeper allows the signed application, and that these days, most macOS malware is signed.
In its default configuration, Gatekeeper allows signed applications. The malware used by the WINDSHIFT APT group was signed (as is most Mac malware these days). So Gatekeeper doesn’t even come into play!
While this is not necessarily a new security hole – and it does require some user interaction – the best protection macOS users can take is to disable automatic unzipping of downloaded files. Click “Preferences” under the Safari header, choose the “General” tab, and uncheck the “Open ‘Safe’ files after downloading” checkbox.’
Read many more details about this issue in Wardle’s full blog post right here.