Gatekeeper Bypass

Information

• Name: Gatekeeper Bypass

• ID: T1553.001

• Tactics: TA0005

• Technique: T1553

Introduction

Gatekeeper Bypass (T1553.001) is a sub-technique within MITRE ATT&CK's "Subvert Trust Controls" category. Gatekeeper is a security feature in macOS designed to ensure only trusted software runs on the system by validating digital signatures and enforcing policies. Attackers utilize Gatekeeper bypass techniques to execute untrusted or malicious software without triggering security alerts or user warnings, effectively circumventing built-in macOS security checks.

Deep Dive Into Technique

Gatekeeper operates by verifying software signatures and checking applications downloaded from the internet. It prevents execution of unsigned or untrusted applications unless explicitly permitted by the user. Attackers bypass Gatekeeper through various sophisticated methods:

• Attribute Manipulation: Attackers remove or alter the quarantine attribute (com.apple.quarantine) from downloaded files using commands such as:

  Copy

  xattr -d com.apple.quarantine /path/to/application

• Misuse of Signed Applications: Attackers embed malicious payloads within legitimately signed applications, leveraging valid signatures to bypass Gatekeeper checks.

• Disk Image and Archive Abuse: Attackers package malicious software inside disk images (DMG) or archives (ZIP) that bypass Gatekeeper checks when opened or executed under specific conditions.

• Exploitation of Vulnerabilities: Attackers exploit vulnerabilities within macOS or Gatekeeper itself (e.g., CVE-2021-30657) to bypass signature verification entirely.

• Script-Based Attacks: Attackers use scripts or macros embedded within documents or installers to execute malicious code without triggering Gatekeeper's normal security prompts.

Attackers frequently combine these methods with social engineering techniques to trick users into executing malicious downloads.

When this Technique is Usually Used

Gatekeeper Bypass is typically employed in the following attack scenarios and stages:

• Initial Access:

  • Attackers deliver malicious payloads via phishing emails or compromised websites, tricking users into downloading and executing malicious software.

• Execution and Persistence:

  • Attackers use Gatekeeper bypass to ensure malicious payloads execute silently and persistently without user suspicion or alerts.

• Privilege Escalation and Lateral Movement:

  • Attackers leverage Gatekeeper bypass to execute unauthorized tools or scripts that facilitate further compromise, escalation, or lateral movement within macOS environments.

• Supply Chain Attacks:

  • Attackers compromise legitimate software or distribution channels, embedding malicious payloads that bypass Gatekeeper due to trusted signatures or altered attributes.

How this Technique is Usually Detected

Detection of Gatekeeper bypass techniques typically involves monitoring and analyzing system-level indicators, file attributes, and suspicious behaviors:

• Monitoring Quarantine Attribute Removal:

  • Detecting the removal or modification of the com.apple.quarantine attribute from files using endpoint detection and response (EDR) tools or file integrity monitoring (FIM) solutions.

• File and Process Monitoring:

  • Monitoring execution of unsigned or suspicious binaries, scripts, or processes that originate from untrusted sources or unusual directories.

• Behavioral Analytics:

  • Leveraging behavioral analytics tools to detect abnormal execution patterns, such as processes spawned by documents or installers that bypass Gatekeeper.

• Endpoint Security Solutions:

  • Utilizing endpoint detection and response (EDR) solutions to detect known Gatekeeper bypass techniques, signature anomalies, and unauthorized executions.

• Log Analysis:

  • Reviewing macOS system logs and audit logs for suspicious entries related to Gatekeeper checks, quarantined files, and attribute manipulations.

• Specific Indicators of Compromise (IoCs):

  • Presence of xattr -d com.apple.quarantine command execution.

  • Execution of binaries or scripts from unusual locations like /tmp, /var/tmp, or user Downloads folder without quarantine attributes.

  • Suspicious disk images (.dmg files) or archives (.zip, .pkg) downloaded and executed without Gatekeeper prompts.

  • Unexpected or unauthorized changes in macOS security settings related to Gatekeeper (spctl --status, spctl --master-disable).

Why it is Important to Detect This Technique

Detecting Gatekeeper bypass techniques is crucial due to their significant impacts on macOS systems and network security:

• Malware Execution:

  • Successful bypass allows attackers to execute malware without user consent or awareness, leading to further compromise and persistence.

• Privilege Escalation:

  • Attackers may leverage Gatekeeper bypass to execute tools that escalate privileges, gaining administrative or root-level access.

• Data Exfiltration and Espionage:

  • Attackers can silently deploy espionage tools or data exfiltration malware, resulting in sensitive data leakage and intellectual property theft.

• Persistence and Long-Term Compromise:

  • Undetected Gatekeeper bypass can establish persistent footholds, enabling attackers to maintain long-term access and perform ongoing malicious activities.

• Reduced Security Posture:

  • Successful bypass undermines macOS built-in defenses, weakening overall security posture and increasing susceptibility to future attacks.

• Compliance and Regulatory Issues:

  • Failure to detect Gatekeeper bypass can lead to compliance violations, regulatory penalties, and reputational damage due to breaches and unauthorized access.

Early detection of Gatekeeper bypass techniques enables prompt incident response, containment, and mitigation, significantly reducing potential damage and impact.

Examples

Real-world examples demonstrating Gatekeeper bypass techniques include:

• Shlayer Malware Campaign (2020):

  • Attackers distributed malicious installers disguised as Adobe Flash Player updates via compromised websites.

  • Utilized scripts and DMG files that bypassed Gatekeeper by removing quarantine attributes, allowing malware installation without security prompts.

  • Impact: Led to widespread infection, adware deployment, and user privacy compromise.

• Silver Sparrow Malware (2021):

  • Leveraged legitimate Apple developer certificates to sign malicious binaries, bypassing Gatekeeper’s signature validation.

  • Distributed via malicious installers packaged in DMG files, silently executing malicious payloads without triggering Gatekeeper alerts.

  • Impact: Gained significant foothold across thousands of macOS devices, prompting Apple to revoke certificates and enhance Gatekeeper defenses.

• macOS CVE-2021-30657 (2021):

  • Vulnerability allowing attackers to package malicious applications without triggering Gatekeeper prompts or quarantine attributes.

  • Attackers exploited this flaw to silently execute malware upon user interaction with malicious installers.

  • Impact: Forced Apple to issue security updates and patches to address the vulnerability and prevent further exploitation.

• XCSSET Malware (2020):

  • Malware injected into Xcode projects, distributing compromised applications that bypassed Gatekeeper due to trusted developer signatures.

  • Impact: Allowed attackers to steal sensitive user information, browser cookies, and perform espionage activities.

These examples highlight the diverse methods attackers use to bypass Gatekeeper, emphasizing the importance of robust detection, monitoring, and prompt response strategies.