{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/app-translocation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*"],"_cs_cves":[{"id":"CVE-2015-3715"},{"cvss":6.7,"id":"CVE-2015-7024"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ictool"],"_cs_severities":["medium"],"_cs_tags":["app-translocation","gatekeeper","macos","security-mitigation"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eApple introduced App Translocation in macOS v10.12 as a response to Gatekeeper bypasses, specifically CVE-2015-3715 and CVE-2015-7024. The core issue was that external content, referenced relatively to a verified application, was not being verified. App Translocation addresses this by creating a read-only DMG image at a randomized location when an application downloaded from the internet is launched. Only the application bundle is included in this DMG. This prevents the application from accessing external resources in the same directory, thus thwarting bypasses that abuse relatively external content. This mechanism relies on the com.apple.quarantine extended attribute to identify downloaded applications. The goal is to generically thwart all Gatekeeper bypasses that abuse relatively external content. This re-architecting of Gatekeeper required changes to numerous OS components and can cause issues for legitimate applications attempting to modify their components post-launch.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious installer package (e.g., ZIP archive or unsigned DMG) containing a signed, Gatekeeper-approved application vulnerable to dylib hijacking.\u003c/li\u003e\n\u003cli\u003eThe package also includes a malicious, unsigned dynamic library (dylib) or executable placed alongside the signed application (e.g., \u0026ldquo;ibtoold\u0026rdquo; next to \u0026ldquo;ictool\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eUser downloads the malicious package from the internet. The downloaded archive is tagged with the \u003ccode\u003ecom.apple.quarantine\u003c/code\u003e extended attribute.\u003c/li\u003e\n\u003cli\u003eUser extracts the application from the downloaded package and double-clicks the signed application to execute it.\u003c/li\u003e\n\u003cli\u003eApp Translocation intercepts the execution attempt and creates a read-only DMG image on the fly, containing \u003cem\u003eonly\u003c/em\u003e the signed application bundle, at a randomized location.\u003c/li\u003e\n\u003cli\u003eThe translocated copy of the application is executed from the read-only DMG.\u003c/li\u003e\n\u003cli\u003eThe signed application attempts to load or execute the external, malicious dylib or executable using a relative path.\u003c/li\u003e\n\u003cli\u003eDue to App Translocation, the external content is no longer present in the randomized location. The attack fails because the application cannot find the unverified external content.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eApp Translocation was designed to prevent attackers from bypassing Gatekeeper by exploiting signed applications that load external, unvalidated content. Without this mitigation, attackers could execute arbitrary code, potentially leading to malware installation, data theft, or system compromise. The security mechanism has negatively affected legitimate applications that rely on modifying their components or accessing external files in the same directory, requiring developers to find workarounds.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the presence of the \u003ccode\u003ecom.apple.quarantine\u003c/code\u003e extended attribute on downloaded files to identify applications potentially subject to App Translocation using file_event logs.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect App Translocation Bypass via File Access\u0026rdquo; Sigma rule to identify applications attempting to access files in their original download location after being translocated.\u003c/li\u003e\n\u003cli\u003eAudit applications that modify their own binaries or metadata after launch, as App Translocation can prevent these operations. Consider refactoring these applications to comply with App Translocation or explore alternative distribution methods.\u003c/li\u003e\n\u003cli\u003eConsider applications that are affected by App Translocation, potentially breaking auto-update or other legitimate features.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-app-translocation/","summary":"Apple's App Translocation in macOS v10.12 mitigates Gatekeeper bypasses (CVE-2015-3715, CVE-2015-7024) by creating a read-only DMG, impacting applications accessing external resources.","title":"Apple's App Translocation Security Mechanism","url":"https://feed.craftedsignal.io/briefs/2024-01-app-translocation/"}],"language":"en","title":"CraftedSignal Threat Feed — App-Translocation","version":"https://jsonfeed.org/version/1.1"}