Researchers have discovered never-before-seen Mac malware samples, which they believe are being developed to target a recently-disclosed vulnerability in the MacOS operating system.
The vulnerability, a bypass that was disclosed in May and has yet to be patched by Apple, exists in the MacOS Gatekeeper security feature, which verifies downloaded applications before allowing them to run on Macs. Researchers now say that they have spotted new samples of malware, dubbed OSX/Linker, which they claim are being developed to target the vulnerability.
While researchers said that it is unclear whether any of the malware samples are part of an active campaign, they suspect that the samples are being developed for an imminent exploitation of the vulnerability.
“Early last week, Intego’s malware research team discovered the first known uses of [security researcher Filippo] Cavallarin’s vulnerability, which seem to have been used—at least at first—as a test in preparation for distributing malware,” said Intego researchers in a Monday analysis.
Apple did not respond to a request for comment from Threatpost on the new malware or the existing vulnerability.
The vulnerability in Gatekeeper was disclosed May 24 by security researcher Filippo Cavallarin. The flaw allows malicious code execution on systems running the most recent version of Mojave (10.14.0).
The issue, the researcher said, stems from the fact that Gatekeeper treats apps that are loaded from a network share differently than apps that have been downloaded from the internet.
Essentially, Cavallarin discovered that if an attacker created a symbolic link (a file that contains a reference to another file or directory) that led to an app on an attacker-controlled Network File System (NFS) server, the app would not be verified by the protection feature.
In Cavallarin’s proof of concept, a .zip archive attachment containing the symbolic link (leading to the app) could bypass Gatekeeper’s verification process. All an attacker would need to do is persuade a victim to download the attachment.
The researcher said he reported the flaw to Apple on Feb. 22. While Apple said the issue would be fixed in 90 days, the company missed its deadline, and the researcher then publicly released his findings in May.
Intego researchers said that on June 6 they discovered new malware samples, which they believe are under development in an effort to target the Gatekeeper vulnerability.
While Cavallarin’s proof of concept utilized a .zip compressed archive that victims would download (which had the link to the malicious app), the samples in the wild discovered by researchers instead used disk file images. “It seems that malware makers were experimenting to see whether Cavallarin’s vulnerability would work with disk images, too,” researchers said.
Overall there were four malware-laden disk file images uploaded on VirusTotal. Researchers traced the files back to an NFS server. The app connected to the server has since been removed, but researchers were able to glean more clues about the malware from the disk file images.
These images varied from an ISO 9660 image with a .dmg file name, or an actual Apple Disk Image format .dmg file. Apple Disk Image (.dmg) extensions are usually used to distribute Mac software.
The disk images were disguised as Adobe Flash Player installers – a common way that malicious actors trick Mac users to install malware – and one of the samples was code-signed by an Apple developer ID that has been used to sign hundreds of fake malicious Flash Player files. These signs indicate that the disk file images are intended for malicious purposes, researchers said.
The Apple developer ID (Mastura Fenny, 2PVD64XRF3) has been reported to Apple, who is in the process of revoking the developer’s certificate. This developer ID has also been used for the OSX/Surfbuyer adware, leading researchers to speculate that the group behind that adware strain may also be linked to this malware.
“Because one of the files was signed with an Apple Developer ID… it is evident that the OSX/Linker disk images are the handiwork of the developers of the OSX/Surfbuyer adware,” they said.
While there is no patch for the Gatekeeper vulnerability, researchers stressed that a mitigation is currently available that involves disabling automount. That mitigation is as follows:
- “Edit /etc/auto_master as root
- Comment the line beginning with ‘/net’