A new Mac malware exploits an unpatched security vulnerability which was disclosed in the Apple’s macOS Gatekeeper security feature that scans and approves for execution apps downloaded from the Internet.
The cybersecurity researchers from Intego discovered four samples of new macOS malware on VirusTotal that leverage the GateKeeper bypass vulnerability to execute untrusted code on macOS without warning users or asking for their explicit permission.
The new malware which was disclosed last month has been dubbed OSX/Linker and it was not seen to be actively exploited in the wild as of now and seems to be under development. Though the samples leverage unpatched Gatekeeper bypass flaw, it does not download any malicious app from the attacker’s server.
The malware developers were conducting some detection testing reconnaissance until last week. Joshua Long from Intego published in a blog post that one of the files was signed with an Apple Developer ID and it is evident that the OSX/Linker disk images are done by the developers of the OSX/Surfbuyer adware.
MacOS Gatekeeper Bypass Vulnerability
GateKeeper is a security feature in the Apple macOS that enforces code signing and verifies downloaded applications before running them, thereby protecting the user’s systems from malware and any malicious software.
It means that when you download an application from the Internet, GateKeeper lets the app to be executed without any warnings only if it has been signed with a valid Apple-issued certificate. Or else it will prompt you to allow or deny the execution.
Gatekeeper considers both external drives and network shares as “safe locations” from where users can run any application without involving GateKeeper’s checks and prompts.
Filippo Cavallarin, an independent security researcher, disclosed a method to exploit this behavior by combining it with two other legitimate features of macOS operating system namely zip archives and automount feature. Zip archives contain symbolic links pointing to an arbitrary location and automount feature can automatically mount a network share from a remote server just by accessing it with a “special” path i.e., beginning with “/net/.”
Cavallarin created a ZIP file with a symbolic link to an attacker-controlled network share that macOS will automount. This is shown in the video demonstration.
When a victim opens the ZIP archive and follows the link, he will navigate to the attacker-controlled network share that’s trusted by Gatekeeper, tricking the victim into running malicious executable files without any warning.
But the newly discovered malware samples are not ZIP files, but disk image files (with .dmg), which shows that the malware developers were experimenting to check if Cavallarin’s vulnerability would work with disk images as well.
Cavallarin reported his findings to Apple on February 22 but was publically disclosed last month when the company failed to patch the issue within 90 days and started ignoring his emails.
Until a patch is issued by the company, he advised network administrators to block NFS communications with external IP addresses, and the home users must not open email attachments from any unknown, suspicious, or untrustworthy source.