Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

iTunes Zero-Day Vulnerability Exploited by BitPaymer Ransomware

The BitPaymer ransomware operators were observed abusing a zero-day vulnerability in Apple’s iTunes for Windows to run code and evade detection, Morphisec’s security researchers have discovered.

The BitPaymer ransomware operators were observed abusing a zero-day vulnerability in Apple’s iTunes for Windows to run code and evade detection, Morphisec’s security researchers have discovered.

The security flaw resides in the Bonjour updater that comes packaged with iTunes for Windows and allows attackers to abuse an unquoted path to not only evade detection from antivirus software, but also to maintain persistence on the targeted machine.

Apple has addressed the vulnerability this week with the release of iTunes 12.10.1 for Windows, after being alerted about BitPaymer operators abusing it. The company has credited Michael Gorelik of Morphisec for his assistance.

“The Windows exploit is important to note given Apple is sunsetting iTunes for Macs with the release of macOS Catalina this week, while Windows users will still need to rely on iTunes for the foreseeable future,” Gorelik notes.

Rarely seen in the wild, the unquoted path vulnerability means that the impacted software’s developers only used the String type of the variable assigned with a path in object-oriented programming, and did not surround the path by quotes (“”).

What Morphisec’s security researchers discovered was that Bonjour, a mechanism that Apple uses to deliver updates, has such an unquoted path. It also has an installation entry in the installed software section, as well as a scheduled task to execute its process.

Moreover, in most cases, users uninstall iTunes but do not remove the Bonjour component separately, meaning that the updater task remains up and working. With numerous computers in enterprise environments still running the Bonjour updater, it’s clear why the attacker chose it for evasion.

Detection solutions usually monitor software behavior, where the chain of process execution plays a major role. Bonjour is a signed and well known process and security vendors will avoid flagging it to prevent unnecessary disruptions, meaning that attackers can abuse it to execute a new malicious child process and avoid triggering an alert.

Advertisement. Scroll to continue reading.

What’s more, the malicious payload in this attack did not use an extension such as “.exe”, meaning that a security program will likely not scan it.

As part of the attack, Bonjour was attempting to run from the “Program Files” folder, but it ended up loading the BitPaymer ransomware due to the unquoted path (the malware was named “Program”). This allowed the attackers to evade detection and bypass antiviruses, Gorelik reveals.

The researcher says this discovery led to the identification of additional unquoted path vulnerabilities in the iTunes software and installer. Exploitation scenarios were possible even with the malicious file placed on a different drive and having a different name, such as Apple or Apple Software.

“Of course, the adversary would need write-privileges for any of those folders. We haven’t observed any possible privilege escalations due to this vulnerability,” the researcher notes.

Related: Forked Version of BitPaymer Ransomware Emerges

Related: Dridex Authors Build New Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.