Malware, Vulnerability Management

New OSX/Linker malware created to exploit bypass bug in macOS X Gatekeeper

Mac researchers have discovered a new malware program designed to specifically exploit a recently disclosed zero-day bypass vulnerability in macOS X Gatekeeper, which has still yet to be patched.

Dubbed OSX/Linker, the malware appears to be crafted by the same developers behind OSX/Surfbuyer, an adware program that also targets Mac users, according to Joshua Long, chief security analyst at Intego in a June 24 company blog post.

Gatekeeper is a feature that enforces code signing and verifies downloaded applications prior to them running on a system. However, on May 24 independent researcher Filippo Cavallarin publicly disclosed that actors could sneak malicious apps past Gatekeeper's protections by hosting these apps on an attacker-controlled Network File System (NFS) server, then creating a symbolic link (aka symlink) to that app, and then fooling prospective victims into downloading a .zip archive containing that symlink.

This trick works because macOS assumes that apps loaded from a network share and external drives – as opposed to the internet – are safe to run.

Intego researchers found four samples of OSX/Linker uploaded to VirusTotal on June 6. But instead of using a .zip archive containing a symlink, the developers instead opted to use disk image files disguised as Adobe Flash Player installers, perhaps to determine if the exploit would still work. All four samples were linked to an app hosted on an internet-accessible NFS server owned by Softlayer (part of IBM Cloud).

The app has since been removed, for reasons unknown. However, further investigation revealed that the app appeared to be "a placeholder that did not do much other than create a temporary text file," Long said. For this reason, Intego researchers believe that at the time of discovery, the developers likely "were merely conducting some detection testing reconnaissance." However, the threat could have become more serious had the developers replaced the innocuous app with something more malicious.

Each VirusTotal sample was uploaded within hours of the creation of its corresponding disk image, which, depending on the sample, was either an ISO 966- image with a .dmg file name or an actual Apple Disk Image format .dmg file. The disk images were found impersonating Adobe Flash Player installers – a common disguise used in malware schemes.

"It is not clear whether any of these specific disk images were ever part of an in-the-wild malware campaign," Long reported. "It is possible that these disk images, or subsequent disk images, may have been used in small-scale or targeted attacks, but so far this remains unknown."

Intego has linked OSX/Linker to the authors of OSX/Surfbuyer because the fourth disk image was code-signed by an Apple Developer ID that over the last three months has been used to sign hundreds of other fake Flash Player files associated with the Surfbuyer adware family. According to Long, Apple took steps to revoke the developer's certificate after being informed of the scam.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.