Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

iTunes Zero-Day Vulnerability Exploited by BitPaymer Ransomware

The BitPaymer ransomware operators were observed abusing a zero-day vulnerability in Apple’s iTunes for Windows to run code and evade detection, Morphisec’s security researchers have discovered.

The BitPaymer ransomware operators were observed abusing a zero-day vulnerability in Apple’s iTunes for Windows to run code and evade detection, Morphisec’s security researchers have discovered.

The security flaw resides in the Bonjour updater that comes packaged with iTunes for Windows and allows attackers to abuse an unquoted path to not only evade detection from antivirus software, but also to maintain persistence on the targeted machine.

Apple has addressed the vulnerability this week with the release of iTunes 12.10.1 for Windows, after being alerted about BitPaymer operators abusing it. The company has credited Michael Gorelik of Morphisec for his assistance.

“The Windows exploit is important to note given Apple is sunsetting iTunes for Macs with the release of macOS Catalina this week, while Windows users will still need to rely on iTunes for the foreseeable future,” Gorelik notes.

Rarely seen in the wild, the unquoted path vulnerability means that the impacted software’s developers only used the String type of the variable assigned with a path in object-oriented programming, and did not surround the path by quotes (“”).

What Morphisec’s security researchers discovered was that Bonjour, a mechanism that Apple uses to deliver updates, has such an unquoted path. It also has an installation entry in the installed software section, as well as a scheduled task to execute its process.

Moreover, in most cases, users uninstall iTunes but do not remove the Bonjour component separately, meaning that the updater task remains up and working. With numerous computers in enterprise environments still running the Bonjour updater, it’s clear why the attacker chose it for evasion.

Detection solutions usually monitor software behavior, where the chain of process execution plays a major role. Bonjour is a signed and well known process and security vendors will avoid flagging it to prevent unnecessary disruptions, meaning that attackers can abuse it to execute a new malicious child process and avoid triggering an alert.

Advertisement. Scroll to continue reading.

What’s more, the malicious payload in this attack did not use an extension such as “.exe”, meaning that a security program will likely not scan it.

As part of the attack, Bonjour was attempting to run from the “Program Files” folder, but it ended up loading the BitPaymer ransomware due to the unquoted path (the malware was named “Program”). This allowed the attackers to evade detection and bypass antiviruses, Gorelik reveals.

The researcher says this discovery led to the identification of additional unquoted path vulnerabilities in the iTunes software and installer. Exploitation scenarios were possible even with the malicious file placed on a different drive and having a different name, such as Apple or Apple Software.

“Of course, the adversary would need write-privileges for any of those folders. We haven’t observed any possible privilege escalations due to this vulnerability,” the researcher notes.

Related: Forked Version of BitPaymer Ransomware Emerges

Related: Dridex Authors Build New Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.