Ransomware gang uses iTunes zero-day

The operators of the BitPaymer ransomware have been spotted using a zero-day in iTunes for Windows as a mechanism to bypass antivirus detection on infected hosts.

The attacks and the zero-day were found by cyber-security firm Morphisec on the network of an enterprise in the automotive industry that got hit by BitPaymer in August.

Apple patched the zero-day this week, in both iTunes for Windows and iCloud for Windows [1, 2]. The actual bug resided in the Bonjour updater component that ships with both products.

The BitPaymer gang discovered a so-called “Unquoted Service Path” vulnerability in the binary of the Bonjour updater.

This type of vulnerability allowed crooks to launch the Bonjour component and then hijack its execution path and point it to the BitPaymer ransomware instead.

The zero-day didn’t allow the BitPaymer ransomware to get admin rights, but it did fool locally installed antivirus software.

After discovering evidence of the zero-day, Morphisec reported the issue to Apple, and the OS maker patched it this month, according to a report the company shared exclusively with ZDNet this week.

But Michael Gorelik, CTO at MorphiSec, says things aren’t that simple as updating the two Apple apps. Users who used these two apps in the past are also vulnerable.

That’s because the Bonjour component remains installed on Windows systems even after users uninstall iTunes or iCloud for Windows.

Sysadmins must scan workstations for the Bonjour component and remove it by hand, or install the latest iTunes for Windows version to make sure the older Bonjour component has been updated.

The BitPaymer ransomware was first spotted in the summer of 2017 when it hit multiple Scottish hospitals. It’s a type of ransomware used in so-called “big game hunting” attacks, where crooks target one single large organization to infect and request large ransom payments, instead of mass-spamming thousands of home consumers who can’t usually meet the ransom demands.