Cybersecurity researchers from Intego are warning about possible active exploitation of an unpatched security vulnerability in Apple’s macOS Gatekeeper security feature details and PoC for which were publicly disclosed late last month.
Intego team last week discovered four samples of new macOS malware on VirusTotal that leverage the GateKeeper bypass vulnerability to execute untrusted code on macOS without displaying users any warning or asking for their explicit permission.
However, the newly discovered malware, dubbed OSX/Linker, has not been seen in the wild as of now and appears to be under development. Though the samples leverage unpatched Gatekeeper bypass flaw, it does not download any malicious app from the attacker’s server.
According to Joshua Long from Intego, until last week, the “malware maker was merely conducting some detection testing reconnaissance.”
“One of the files was signed with an Apple Developer ID (as explained below), it is evident that the OSX/Linker disk images are the handiwork of the developers of the OSX/Surfbuyer adware,” Long said in a blog post.
However, since the malware sample links to a remote server from where it downloads the untrusted app, attackers can also distribute same samples to real targeted by merely replacing the defined sample app with a malware app on their server.
macOS Gatekeeper Bypass Vulnerability
GateKeeper is a security feature built into Apple macOS that enforces code signing and verifies downloaded applications before allowing them to run, helping users protect their systems from malware and other malicious software.
That means, if you download an application from the Internet, GateKeeper will only allow it to execute without any warnings if it has been signed with a valid Apple-issued certificate, otherwise will prompt you to allow or deny the execution.
However, Gatekeeper has been designed to treat both external drives (USB or HDD) and network shares as “safe locations” from where users can run any application without involving GateKeeper’s checks and prompts.
Filippo Cavallarin, an independent security researcher, late last month publicly revealed a way to exploit this behavior by combining it with two other legitimate features of macOS operating system, which are:
- zip archives can contain symbolic links pointing to an arbitrary location, including automount endpoints, and
- automount feature on macOS can automatically mount a network share from a remote server just by accessing it with a “special” path i.e., beginning with “/net/.”
“For example, ls /net/evil-attacker.com/sharedfolder/ will make the OS read the content of the ‘sharedfolder’ on the remote host (evil-attacker.com) using NFS,” Cavallarin explained in a blog post.
As shown in the video demonstration, Cavallarin created a ZIP file with a symbolic link to an attacker-controlled network share that macOS will automount.
Once a victim opens the ZIP archive and follows the link, he will navigate to the attacker-controlled network share that’s trusted by Gatekeeper, tricking the victim into running malicious executable files without any warning.
“The way Finder is designed (ex hide .app extensions, hide full path from title bar) makes this technique very effective and hard to spot,” the researcher says.
However, the newly discovered malware samples are not ZIP files, but disk image files (with .dmg), showing that “malware makers were experimenting to see whether Cavallarin’s vulnerability would work with disk images, too.”
Cavallarin responsibly reported his findings to Apple on February 22 but decided to go public late last month after the company failed to patch the issue within the 90 days disclosure deadline and started ignoring his emails.
Until Apple patches this issue, researcher advised network administrators to block NFS communications with external IP addresses, and for home users, it is always important to not open email attachments from an unknown, suspicious, or untrustworthy source.