OSX/Linker, a new piece of Mac malware that exploits Gatekeeper bypass

Mac security software firm Intego has spotted a new Mac malware dubbed OSX/Linker that exploits a recently disclosed macOS Gatekeeper vulnerability.

Experts at Mac security software firm Intego discovered a new piece of Mac malware dubbed OSX/Linker that exploits a recently disclosed macOS Gatekeeper bypass vulnerability.

The Apple Gatekeeper is designed to protect OS X users by performing a number of checks before allowing an App to run. In fact, you will not be able to execute code that wasn’t signed by an Apple developer, you will not be able to run apps that weren’t downloaded from Apple’s store if the device is not jailbreaked of course.

Researchers speculate the Linker malware has the same authors of the OSX/Surfbuyer adware.

In late May, the Italian security researcher Filippo Cavallarin demonstrated how to bypass the macOS Gatekeeper by leveraging trust in network shares.

Cavallarin demonstrated how to bypass Gatekeeper and execute untrusted code without user explicit permission and any warning to the victims.

Gatekeeper considers both external drives and network shares as safe locations, this means that any application in these locations could run without asking for the user’s consent.

In late May, security researcher Filippo Cavallarin disclosed a bug in Gatekeeper that would allow a malicious binary downloaded from the Internet to bypass the Gatekeeper scanning process.

The attacker would need to leverage two legitimate features implemented in macOS, the automount (aka autofs) and the lack of specific checks.

The autofs feature allows a user to automatically mount a network share by accessing a “special” path, in this specific case any path beginning with “/net/” (i.e. /net/evil-attacker.com/sharedfolder/).

The second feature that was exploited to include within ZIP archives symbolic links pointing to arbitrary locations, in this case, automount endpoints.

Cavallarin discovered that the software responsible for decompressing the ZIP archives does not perform any check on the symlinks.

An attacker can create a ZIP file containing a symbolic link to an automount endpoint under their control and send it to the victim. The attack scenario sees the victim downloading the archive and follows the symlink, they are redirected to the location controlled by the attacker that is also trusted by Gatekeeper. 

Below a video PoC of the attack:

The Gatekeeper bypass flaw affects all macOS versions, including the latest one (ver. 10.14.5), and Apple has yet to release an update to address the issue.

Cavallarin reported the vulnerability to Apple on February 22, but Apple missed a 90-days deadline and is no longer responding to the emails of the expert.

Unfortunately, vxers are already working on the includes the exploit code in their malware. Intego experts already analyzed some malware samples that appear as a sort of test for the exploiting of the Gatekeeper bypass.

The disk image files were either an ISO 9660 image with a .dmg file name, or an actual Apple Disk Image format .dmg file.

“Intego observed four samples that were uploaded to VirusTotal on June 6, seemingly within hours of the creation of each disk image, that all linked to one particular application on an Internet-accessible NFS server.” reads the analysis published by Intego.

“Each of the four files were uploaded anonymously, meaning the user was not signed into a VirusTotal account.”

All the OSX/Linker malware samples analyzed by the experts were disguised as Adobe Flash Player installers, a circumstance that suggests they were actual malware payload testing.

At the time of writing, OSX/Linker malware samples haven’t been observed in the wild yet.

Intego notified Apple of the OSX/Surfbuyer adware gang abusing an Apple Developer ID to sign their malicious OSX/Linker samples in order to allow the tech giant to revoke the abused certificate.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – OSX/Linker, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]