New Mac malware abuses recently disclosed Gatekeeper zero-day

Researchers find new OSX/Linker malware abusing still-unpatched macOS Gatekeeper bypass.
Written by Catalin Cimpanu, Contributor

Mac malware developers have jumped on a recently disclosed macOS Gatekeeper vulnerability and are actively developing malware that abuses it.

The new malware has been named OSX/Linker and has been tied to the same group that operates the OSX/Surfbuyer adware, according to an investigation carried out by Joshua Long, Chief Security Analyst for Mac security software maker Intego.

The unpatched Gatekeeper bypass

The new OSX/Linker malware abuses a security flaw that was disclosed in Gatekeeper, a macOS security system that scans and approves for execution apps downloaded from the Internet.

In late May, security researcher Filippo Cavallarin disclosed a bug in Gatekeeper that would allow a malicious binary downloaded from the Internet to bypass the Gatekeeper scanning process.

The trick involved packing a symlink (symbolic link) inside an archive file and having the symlink link back to an attacker-controlled Network File System (NFS) server.

Cavallarin found that Gatekeeper wouldn't scan these types of files, and would allow users to execute the symlinks. If the symlinks were malicious, attackers could run harmful code on victims' macOS systems.

All macOS versions are affected, including the latest 10.14.5, and Apple has yet to release a patch to this day, a full month after Cavallarin's public disclosure.

Gatekeeper bypass zero-day abused in the wild

But if Apple didn't seem to care about this bug, malware authors sure did. Long said he discovered in early June malware samples that were testing various methods through which to abuse the Gatekeeper bypass for malware distribution.

The malware samples looked like tests, but they were signed with certificates previously used by the OSX/Surfbuyer adware gang.

Some changes were made from the proof-of-concept code published by Cavallarin, but the samples would have led to users to having their computers compromised in the end, according to Intego's report.

Furthermore, all "test" OSX/Linker malware samples were disguised as Adobe Flash Player installers, "which is one of the most common ways malware creators trick Mac users into installing malware," according to Long, who suggested that these weren't just tests carried out by security researchers, but actual malware payload testing.

No actual OSX/Linker malware has been observed in the wild yet; however that doesn't mean it's not happening right now.

Long said he notified Apple of the OSX/Surfbuyer adware gang abusing an Apple Developer ID to sign their malicious OSX/Linker samples, and the OS maker is in the process of revoking the abused certificate.

This is also not the first time that Long and Intego discover malware abusing a Gatekeeper bypass to sneak past macOS' defenses. In February 2018, Intego also found that a new version of the OSX/Shlayer malware was also abusing a Gatekeeper bypass to infect macOS users.

Apple WWDC 2019 keynote: Scenes and surprises

Related malware and cybercrime coverage:

Editorial standards