OSX/Linker: New Mac malware attempts zero-day Gatekeeper bypass

Last week, Intego researchers discovered new Mac malware, OSX/Linker, that attempts to leverage a recently disclosed zero-day flaw in macOS' Gatekeeper protection.

Let's examine what we know about this latest Mac malware campaign.

Before digging into the OSX/Linker malware, it would be helpful, for context, to discuss the "MacOS X GateKeeper Bypass" vulnerability that was publicly disclosed by Filippo Cavallarin on May 24. Gatekeeper is a technology included in macOS that is supposed to check apps downloaded from the Internet for either a revoked developer signature, or for certain specific malware that Apple chooses to detect, before allowing an app to run.

The more technical explanation: Cavallarin noted that macOS treats apps loaded from a network share differently than apps downloaded from the Internet. By creating a symbolic link (or "symlink"—similar to an alias) to an app hosted on an attacker-controlled Network File System (NFS) server, and then creating a .zip archive containing that symlink and getting a victim to download it, the app would not be checked by Apple's rudimentary XProtect bad-download blocker.

The simpler explanation: This trick makes it easier for malware to infect a Mac—even if Apple has a built-in signature that's supposed to protect your Mac from that malware.

Cavallarin says that he reported the vulnerability to Apple on February 22, and Apple told him that the issue would be fixed within 90 days—but Apple missed its deadline, and Cavallarin believed that Apple was no longer responding to his e-mails, so he released his findings publicly via his blog.

For the full article visit Intego's blog