New Mac malware is being developed targeting a recently discovered macOS Gatekeeper security flaw. The malware in question is known as OSX/Linker, and it has been analyzed by Intego security researcher Joshua Long.
OSX/Linker Malware: what we know so far
The new malware leveragesa known Gatekeeper vulnerability which was disclosed in May by Filippo Cavallarin. The bug could allow a malicious binary downloaded from the internet to bypass Gatekeeper’s scanning process. “On MacOS X version <= 10.14.5 (at time of writing) it is possible to easily bypass Gatekeeper in order to execute untrusted code without any warning or user's explicit permission,” the researcher wrote in May upon his discovery.
It’s noteworthy that it’s in Gatekeeper’s design to accept both external drives and network shares as safe location, allowing apps that they contain to run flawlessly. However, by putting together two legitimate features of macOS, it is possible to deceive the Gatekeeper and its “intended behavior”.
How would an attack based on the vulnerability work? An attacker could craft a zip file with a symbolic link to an automount hacker-controlled endpoint (ex Documents -> /net/evil.com/Documents) and could send it to a targeted system. The user would download the malicious archive, and would extract the malicious file without suspecting anything.
This involved putting a symlink in an archive file and linking it back to a malicious Network File System server. The researcher discovered that Gatekeeper wouldn’t scan these specific files, allowing users to execute the symlinks. In case of malicious symlinks, attackers could run malicious code on vulnerable systems.
In the beginning of June, Intego’s malware research team discovered the first known (ab)use of Cavallarin’s vulnerability, which appears to have been used as a test in preparation for distributing malware.
Although Cavallarin’s vulnerability disclosure specifies a .zip compressed archive, the samples analyzed by Intego were actually disk image files. It seems that malware makers were experimenting to see whether Cavallarin’s vulnerability would work with disk images, too.
The security company observed four samples that were uploaded to VirusTotal on June 6, seemingly within hours of the creation of each disk image. All of them linked to one particular application on an Internet-accessible NFS server.
So far, the researchers’ theory is that the malware maker was “merely conducting some detection testing reconnaissance“. Nonetheless, this is another reminder that malware developers are actively experimenting with new methods to bypass Apple’s built-in protection mechanisms.