The module hunted out applications with permissions to capture screenshots, and then used the mdfind command - Apple’s find routine, which searches for files based on their contents as stored in the Spotlight index - to check if the application IDs are installed on the victim’s device. Researchers discovered a module written in AppleScript - Apple’s scripting language - that was being used to bypass TCC protections. Once the users give consent, the application is then given permission to carry out the action via the system preferences. For instance, TCC is behind the prompts that ask users if video collaboration software can access their devices’ webcams and microphones. The flaw (CVE-2021-30713) could allow cybercriminals to bypass the Transparency Consent and Control (TCC) framework, which is the system in charge of prompting Apple users when an application attempts to perform an action requiring their explicit permission.
![evernote mac malware evernote mac malware](https://static.filehorse.com/screenshots-mac/office-and-business-tools/evernote-screenshot-01.png)
"By leveraging an installed application with the proper permissions set, the attacker can piggyback off that donor app when creating a malicious app to execute on victim devices, without prompting for user approval," said Stuart Ashenbrenner, Jaron Bradley and Ferdous Saljooki with Jamf. The malware, already installed on victims' systems, was using the bypass flaw to take screenshots of users' desktops without requiring additional permissions.
![evernote mac malware evernote mac malware](https://software-advice.imgix.net/managed/products/screenshots/screenshot_197625.jpg)
Researchers with Jamf, who discovered the vulnerability, said in a Monday analysis that they uncovered the flaw being abused by attackers while analyzing the XCSSET malware.
![evernote mac malware evernote mac malware](https://technologynewsforday.files.wordpress.com/2013/05/screenshot_dump_folder.png)
The vulnerability could allow attackers to access various sensitive application permissions without victims' consent - enabling them to secretly take screenshots or record videos of victims' screens, for instance.
EVERNOTE MAC MALWARE PATCH
Apple has released a patch in its latest version of macOS, Big Sur version 11.4, addressing an actively exploited flaw.