Researchers detected a new BitPaymer ransomware campaign that exploited an Apple zero-day vulnerability to target Windows users.

In August 2019, according to Morphisec, threat actors began using a new evasion technique to target an automotive organization with BitPaymer ransomware. This tactic consisted of exploiting a zero-day vulnerability in the Apple Software Update utility that’s packaged together with iTunes on Windows computers.

Specifically, they abused an unquoted path vulnerability that other vendors have identified over the past 15 years. Security researchers have typically spoken of this flaw in terms of privilege escalation, since it usually exists within a service like the Apple Software Update utility that has administrative execution rights.

By exploiting this vulnerability, the attackers helped their campaign evade detection in two important ways. First, they leveraged a signed and known program to execute a malicious child process, meaning that any security alert would have lower confidence than if they had leveraged Apple Software Update. The malicious “Program” file also didn’t come with an extension like .EXE, which means antivirus companies won’t generally scan those files.

BitPaymer’s Recent Attack Activity

In April 2019, Trend Micro observed an attack that leveraged an account with administrative privileges to target a U.S. manufacturing company with BitPaymer via PSExec.

Then, in July, Morphisec revealed that the ransomware had begun leveraging a new custom packer framework to target at least 15 U.S. organizations in both the public and private sectors.

Just a few days later, CrowdStrike identified an apparent fork in the ransomware family’s development when researchers found a new ransomware called DoppelPaymer using most of BitPaymer’s source code.

Secure Your Environment Against a Zero-Day Vulnerability

Security professionals can help defend against a zero-day vulnerability by adopting a vulnerability management program that combines strong perimeter protection and system hardening. Organizations should also consider investing in a comprehensive vulnerability management solution that integrates with their security information and event management (SIEM), network monitoring and other solutions.