Delaware, USA – June 25, 2019 – Researchers have discovered the first OSX/Linker malware samples exploiting the unpatched vulnerability in Gatekeeper, for which proof-of-concept is publicly available for more than a month. Security researcher Filippo Cavallarin published PoC on his blog after the 90-day deadline had elapsed since notifying Apple of the vulnerability and the company stopped responding to the researcher’s emails. Adversaries can pack symbolic links pointing to their Network File System server, and Gatekeeper doesn’t scan such files and allows executing of a link, which can lead to the run of malicious code on MacOS.
OSX / Linker malware exploits this zero-day vulnerability to download and execute code from an attacker’s server. Intego researchers found 4 malware samples uploaded to VirusTotal in early June at intervals of several minutes. One of the samples was signed with an Apple Developer ID, which allowed linking this malware with the creators of OSX/Surfbuyer adware. This is also confirmed by the fact that malware is disguised as an Adobe Flash Player installer. At the present moment, researchers haven’t recorded attacks in the wild, but it is possible that OSX/Linker was used for the targeted attack or is still under development. Despite the fact that MacOS malware is significantly inferior in the number of malicious software for Windows, attackers are constantly looking for and find ways to bypass the Gatekeeper and infect MacOS systems. To protect against this vulnerability, it is recommended to monitor and investigate connections to public-facing NFS servers. Also, you can use Netflow Security Monitor rule pack that enables real-time traffic profiling of most commonly used network services including SSH, email traffic (SMTP, POP3), HTTP/S, DNS, FTP, DB, RDP, NTP, NETBIOS, and other traffic types: https://my.socprime.com/en/integrations/netflow-security-monitor