Mac malware developers have got to know about recently disclosed macOS Gatekeeper vulnerability and are actively developing malware that abuses it.

Intego team last week discovered four samples of new macOS malware on VirusTotal that leverage the GateKeeper bypass vulnerability to execute untrusted code on macOS without displaying users any warning or asking for their permission.

The new malware has been named OSX/Linker and has been tied to the same group that operates the OSX/Surfbuyer adware, according to an investigation carried out by Joshua Long, Chief Security Analyst for Mac security software maker Intego.

UNPATCHED GATEKEEPER BYPASS VULNERABILITY for MacOS

The Recently developed OSX/Linker malware abuses a security flaw that was disclosed in Gatekeeper, a macOS security system that enforces code signing and verifies downloaded applications before allowing them to run, helping users protect their systems from malware and other malicious software.

That means, if you download an application from the Internet, GateKeeper will only allow it to execute without any warnings if it has been signed with a valid Apple-issued Device Certificate, otherwise will prompt you to allow or deny the execution of that software.

Video Below :

Filippo Cavallarin found that Gatekeeper wouldn’t scan these types of files, and would allow users to execute the symlinks. If the symlinks were malicious, attackers could run harmful code on victims’ macOS systems.

All macOS versions are affected, including the latest 10.14.5, and Apple has yet to release a patch to this day, a full month after Cavallarin’s public disclosure.

Way to exploit this behavior by combining it with two other legitimate features of macOS operating system, which are:

  • zip archives can contain symbolic links pointing to an arbitrary location, including automount endpoints
  • automount feature on macOS can automatically mount a network share from a remote server just by accessing it with a “special” path i.e. , beginning with “/net/” .

As shown in the demonstrated video , Cavallarin created a ZIP file with a symbolic link to an attacker-controlled network share that macOS will automount.

Once a victim opens the ZIP archive and follows the link, he will navigate to the attacker-controlled network share that’s trusted by Gatekeeper, tricking the victim into running malicious executable files without any warning pop up from Gatekeeper

No actual OSX/Linker malware has been observed in the wild yet; however that doesn’t mean it’s not happening right now.

"The way Finder is designed (ex hide .app extensions, hide full path from title bar) makes this technique very effective and hard to spot," the researcher says.

Until Apple patches this issue, researcher advised network administrators to block NFS communications with external IP addresses, and for home users to not open email attachments from an unknown, suspicious, or untrustworthy sources.

LEAVE A REPLY

Please enter your comment!
Please enter your name here