Attackers use iTunes zero-day to bypass the detection of anti-virus software
Security researchers from Morphisec discovered a new campaign that exploits a component in iTunes for Windows to install BitPaymer ransomware on target machines. The most important vector of the attack is that he zero-day allows the attackers to breach the targeted company without triggering anti-virus protection alarms.
The so-called unquoted path vulnerability was discovered within Apple sofware's for Windows Bonjour component only a month after the research team from Morphisec published a report about the BitPaymer/IEncrypt campaign. The same culprits now adopted a new technique that is persistent and evasive when the flaw is exploited. Experts analyzed a malware sample after it was identified on automotive corporation computers in August 2019.
The security team immediately contacted Apple for support, and the zero-day vulnerability was patched earlier this week. Due to this, Morphisec researchers were free to publish their findings without putting iTunes for Windows users at risk:
Morphisec followed responsible disclosure policies and immediately shared the details of the attack with Apple. Within the disclosure period and while waiting for the official patch, Morphisec has identified and reported on additional vulnerable components that could be similarly misused.
Program developers still forget to add necessary elements to prevent unquoted path vulnerabilities
Unquoted path vulnerability resides in a service or a process that has administrative rights – it can give the attackers a possibility to escalate privileges. Although these types of flaws are not very commonly observed being exploited, they have around for more than 15 years and seen in such popular software like ExpressVPN or ForcePoint VPN,, and other applications.
The bug occurs when software developers forget to apply quotation markings that should surround the file path. Bonjour element is designed to deliver Apple updates to iTunes software, and researchers found the bug there – one of the paths used in the code was missing quotes.
When the bug lies within a process that is digitally signed and is trusted by the operating system, malicious actors can import modifications through it without the AV engines reacting to it. This particular feature makes iTunes zero-day particularly dangerous.
Malware researchers explained:
As many detection solutions are based on behavior monitoring, the chain of process execution (parent-child) plays a major role in alert fidelity. If a legitimate process signed by a known vendor executes a new malicious child process, an associated alert will have a lower confidence score than it would if the parent was not signed by a known vendor. Since Bonjour is signed and known, the adversary uses this to their advantage.
The report also stated that the file used for payload delivery was not .exe, which means that most of the AV applications would not scan files with uncommon extensions to prevent the performance impact. The unquoted path allowed BitPaymer ransomware to be launched instead of the Bonjour component, as it was named “Program.” Researchers say that the malicious file can also be named as “Apple” or “Apple Software” to be capable of being launched the same way.
Uninstall Bonjour component if you are no longer using iTunes for Windows
During the initial campaign investigation, Morphisec researchers discovered that most of the users are unaware that Bonjour is a separate component and needs to be uninstalled separately from iTunes. For that reason, experts found it running on multiple machines – outdated and vulnerable to unquoted path vulnerability exploitation. Thus, those who used to run iTunes before and uninstalled it need to ensure that the Bonjour component is eliminated as well.
Those who run iTunes on Windows should immediately patch the software with the latest Apple updates – while it is usually done automatically, we suggest users double-check if they are running the newest version of the application, just to be sure. Additionally, the patch addresses issues in iCloud for Windows.
BitPaymer is closely related to iEncrypt, which previously infected a high-profile beverage maker Arizona beverages and was later spotted by Trend Micro researchers attacking companies via a command-line tool PsExec.