Threat actors are actively exploiting a recently disclosed macOS Gatekeeper flaw to deploy a new malware named OSX/Linker. The new malware has been tied to the same group that operates the OSX/Surfbuyer adware.
What is the Gatekeeper bypass flaw?
In late May, security researcher Filippo Cavallarin had disclosed a bug in Gatekeeper that would allow an attacker to execute a malicious binary with being scanned by Gatekeeper protection.
The trick involved packing a symlink (symbolic link) inside an archive file and getting a victim to download it. This symlink is linked back to an attacker-controlled Network File System (NFS) server.
Cavallarin found that Gatekeeper would not scan these types of files and would easily allow users to execute the symlinks. It is believed that attackers can send malicious files through symlinks.
All macOS versions including the latest 10.14.5 are affected by the flaw and Apple is yet to release a patch to address it.
How is the Gatekeeper flaw abused in the wild?
During the investigation, Joshua Long, Chief Security Analyst for Mac security software maker Intego, found the first known use of Cavallarin’s vulnerability.
It was found that the OSX/Linker malware samples were distributed using disk image files. These disk images are disguised as Adobe Flash Player installers, which is one of the most common ways to distribute malware on Mac systems.
“The disk image files were either an ISO 9660 image with a .dmg file name, or an actual Apple Disk Image format .dmg file, depending on the sample. Normally, an ISO image has a .iso or .cdr file name extension, but .dmg (Apple Disk Image) files are much more commonly used to distribute Mac software,” said the blog post.
Who created OSX/Linker disk images?
Intego has observed four samples of OSX/Linker malware that were uploaded to VirusTotal on June 6. All these samples were linked to one particular application on an internet-accessible NFS server.
While the first sample was uploaded from an IP address located in Israel, the other three samples appeared to be uploaded from the United States.
“Since each successive file was uploaded a short time after each previous one, it seems reasonable to speculate that all four files may have been uploaded by the same person, who forgot to mask his or her IP address until after uploading the first sample,” added Long.