Tuesday, May 13, 2025
HomeAppleApple iTunes for Windows Zero-day Exploited by BitPaymer Ransomware

Apple iTunes for Windows Zero-day Exploited by BitPaymer Ransomware

Published on

SIEM as a Service

Follow Us on Google News

Researchers found a new footprint about the recent BitPaymer ransomware campaign that was exploited the Apple iTunes for Windows Zero-day vulnerability to attacker public and private sectors across the U.S.

Threat actors took advantage of a zero-day vulnerability that resides in the Bonjour Updater that comes packaged with iTunes for Windows and abused the unquoted path vulnerability to evade the detection and maintain the persistence.

Bonjour is an updater mechanism used by Apple to deliver future updates, and it has a separate installation entry to perform a scheduled task.

- Advertisement - Google News

The BitPaymer ransomware attack was targeting the industries such as finance, agriculture, technology, and is targeting at least 15 organizations.

The unquoted path vulnerability is one of the rarely seen flaws and is well known in the cybersecurity industry for 15 years, which often the vulnerability is used to perform a privilege escalation attack since it exists in a process with admin rights.

 “Software developers are using more and more object-oriented programming, and many times when assigning a variable with a path, they assume that using the String type of the variable alone is enough – well it’s not! The path still needs to be surrounded by quotes (“\\”).” Morphisec researchers says in Blog post.

BitPaymer Ransomware Attack Surface in Bonjour 

Windows users unaware that they need to separately uninstall the Bonjour component when uninstalling the iTunes, but if it is failed to uninstall, then the machine has still allowed the updater task where the vulnerability resides.

Morphisec researchers found that the Bonjour updater is installed on a large number of computers across different enterprises even after they uninstall iTunes from their system.

But Bonjour component remains silently in the system without updates and working in the background. This attack surface motivates attackers to choose this process for evasion.

“As many detection solutions are based on behavior monitoring, the chain of process execution (parent-child) plays a major role in alert fidelity. If a legitimate process signed by a known vendor executes a new malicious child process, an associated alert will have a lower confidence score than it would if the parent was not signed by a known vendor.”

In this case, attackers taking advantage of the presence of Bonjour to perform an attack since the Bonjour component is signed, and known which help to remain undetected.

Basically, a malicious “program” doesn’t come with .exe extension which doesn’t fall under the security software scanning since it tends to scan only specific file extensions to prevent the infection.

“Bonjour was trying to run from the “Program Files” folder, but because of the unquoted path, it instead ran the BitPaymer ransomware since it was named “Program”. This is how the zero-day was able to evade detection and bypass AV.”

Bonjour updater zero-day vulnerability mainly used to evade detection, and there is no evidence found that the BitPaymer ransomware neither writes any files on victims machine nor escalate any privileges.

 Apple patched the vulnerability in both iTunes 12.10.1 for Windows and iCloud for Windows 7.14.  users are highly recommended to update the new version to prevent a future attacks.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Researchers Uncover Remote IT Job Fraud Scheme Involving North Korean Nationals

The United States indicted fourteen North Korean nationals for orchestrating a sophisticated scheme to...

Attackers Leverage Unpatched Output Messenger 0‑Day to Deliver Malicious Payloads

A Türkiye-affiliated espionage threat actor, tracked by Microsoft Threat Intelligence as Marbled Dust (also...

Cobalt Strike 4.11.1 Released With SSL Checkbox Fix

Cobalt Strike has announced the release of version 4.11.1, an out-of-band update addressing several...

Apple Releases Security Patches to Fix Critical Data Exposure Flaws

Apple released critical security updates for macOS Sequoia 15.5 on May 12, 2025, addressing...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Apple Releases Security Patches to Fix Critical Data Exposure Flaws

Apple released critical security updates for macOS Sequoia 15.5 on May 12, 2025, addressing...

Cybercriminals Hide Undetectable Ransomware Inside JPG Images

A chilling new ransomware attack method has emerged, with hackers exploiting innocuous JPEG image...

Defendnot: A Tool That Disables Windows Defender by Registering as Antivirus

Cybersecurity developers have released a new tool called "defendnot," a successor to the previously...