The BitPaymer ransomware operators were observed abusing a zero-day vulnerability in Apple’s iTunes for Windows to run code and evade detection, Morphisec’s security researchers have discovered.
The security flaw resides in the Bonjour updater that comes packaged with iTunes for Windows and allows attackers to abuse an unquoted path to not only evade detection from antivirus software, but also to maintain persistence on the targeted machine.
Apple has addressed the vulnerability this week with the release of iTunes 12.10.1 for Windows, after being alerted about BitPaymer operators abusing it. The company has credited Michael Gorelik of Morphisec for his assistance.
“The Windows exploit is important to note given Apple is sunsetting iTunes for Macs with the release of macOS Catalina this week, while Windows users will still need to rely on iTunes for the foreseeable future,” Gorelik notes.
Rarely seen in the wild, the unquoted path vulnerability means that the impacted software’s developers only used the String type of the variable assigned with a path in object-oriented programming, and did not surround the path by quotes (“\\”).
What Morphisec’s security researchers discovered was that Bonjour, a mechanism that Apple uses to deliver updates, has such an unquoted path. It also has an installation entry in the installed software section, as well as a scheduled task to execute its process.
Moreover, in most cases, users uninstall iTunes but do not remove the Bonjour component separately, meaning that the updater task remains up and working. With numerous computers in enterprise environments still running the Bonjour updater, it’s clear why the attacker chose it for evasion.
Detection solutions usually monitor software behavior, where the chain of process execution plays a major role. Bonjour is a signed and well known process and security vendors will avoid flagging it to prevent unnecessary disruptions, meaning that attackers can abuse it to execute a new malicious child process and avoid triggering an alert.
What’s more, the malicious payload in this attack did not use an extension such as “.exe”, meaning that a security program will likely not scan it.
As part of the attack, Bonjour was attempting to run from the “Program Files” folder, but it ended up loading the BitPaymer ransomware due to the unquoted path (the malware was named “Program”). This allowed the attackers to evade detection and bypass antiviruses, Gorelik reveals.
The researcher says this discovery led to the identification of additional unquoted path vulnerabilities in the iTunes software and installer. Exploitation scenarios were possible even with the malicious file placed on a different drive and having a different name, such as Apple or Apple Software.
“Of course, the adversary would need write-privileges for any of those folders. We haven’t observed any possible privilege escalations due to this vulnerability,” the researcher notes.
Related: Dridex Authors Build New Ransomware