The cybercriminal group behind BitPaymer and iEncrypt ransomware attacks has been found exploiting a zero-day vulnerability affecting a little-known component that comes bundled with Apple's iTunes and iCloud software for Windows to evade antivirus detection.
The vulnerable component in question is the Bonjour updater, a zero-configuration implementation of network communication protocol that works silently in the background and automates various low-level network tasks, including automatically download the future updates for Apple software.
To be noted, since the Bonjour updater gets installed as a separate program on the system, uninstalling iTunes and iCloud doesn't remove Bonjour, which is why it eventually left installed on many Windows computers — un-updated and silently running in the background.
Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology
Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.Join Now
Cybersecurity researchers from Morphisec Labs discovered the exploitation of the Bonjour zero-day vulnerability in August when the attackers targeted an unnamed enterprise in the automotive industry the BitPaymer ransomware.
Unquoted Service Path Vulnerability in Apple's Bonjour Service
The Bonjour component was found vulnerable to the unquoted service path vulnerability, a common software security flaw that occurs when the path of an executable contains spaces in the filename and is not enclosed in quote tags ("").
The unquoted service path vulnerability can be exploited by planting a malicious executable file to the parent path, tricking legitimate and trusted applications into executing malicious programs to maintain persistence and evade detection.
"In this scenario, Bonjour was trying to run from the Program Files folder, but because of the unquoted path, it instead ran the BitPaymer ransomware since it was named Program," the researchers said.
"As many detection solutions are based on behavior monitoring, the chain of process execution (parent-child) plays a major role in alert fidelity. If a legitimate process signed by a known vendor executes a new malicious child process, an associated alert will have a lower confidence score than it would if the parent was not signed by a known vendor."
"Since Bonjour is signed and known, the adversary uses this to their advantage."
Besides escaping from the detection, in some cases, the unquoted service path vulnerability could also be abused to escalate privileges when the vulnerable program has the rights to run under higher privileges.
However, in this particular case, the Bonjour zero-day didn't allow the BitPaymer ransomware to gain SYSTEM rights on the infected computers. But it did allow the malware to evade common detection solutions that are based on behavior monitoring because the Bonjour component appears like a legitimate process.
Security Patches Released (iTunes / iCloud for Windows)
Immediately after discovering the attack, researchers at Morphisec Labs responsibly shared the details of the attack with Apple, who just yesterday released iCloud for Windows 10.7, iCloud for Windows 7.14, and iTunes 12.10.1 for Windows to address the vulnerability.
Windows users who have iTunes or/and iCloud installed on their system are highly recommended to update their software to the latest versions.
In case you ever had installed one of these Apple software on your Windows computer and then uninstalled it, you should check the list of installed applications on your system for the Bonjour updater and uninstall it manually.