New vulnerability on Mac is exploited with malware

IT security audit specialists from the cybersecurity firm Intego have reported supposed in the wild exploitation of an uncorrected vulnerability in some of Apple MacOS Gatekeeper security features; there is a proof of concept of this exploitation published online.

A few days ago, experts discovered at least four different samples of this macOS malware on VirusTotal specialized platform. These malware variants exploit a bypass vulnerability to execute malicious code on macOS without requiring the user to approve the action through a dialog box.

The latest version of the malware, known as OSX/Linker, has not been detected in the wild yet, so IT security audit experts considered that it is still in a developmental stage. Even though all malware variants exploit the vulnerability in Gatekeeper, the download of any malicious application has not been detected from the server of the threat actors.

Gatekeeper is a security feature built into Apple macOS that verifies digital signatures and downloaded apps before approving their execution, functioning as an additional layer of security against malware. If someone gets to download an application from any website, Gatekeeper will allow or prevent its execution depending on whether it finds a valid certificate approved by Apple; otherwise it will ask for users’ approval to run the application.

However, Gatekeeper was designed to treat external storage drives (such as USB or HDD), in addition to network shares, as secure locations. According to the experts, from these secure locations a user can run any application without requiring subsequent permissions or Gatekeeper alerts.

Late last month, IT security audit specialist revealed a method to exploit this operating system behavior that involves two other legitimate features of macOS: zip files and automount function. The expert created a zip file with a symbolic link to an attacker-controlled network share that macOS will automount.

When the victim opens the zip and follows the link, they will be directed to the shared network under the hacker’s control and execute malicious files without the system requesting the victim’s authorization. The expert notified the company last February and, as more than 90 days have passed and the flaw has not been corrected, he decided to disclose the vulnerability.

Experts from the International Institute of Cyber Security (IICS) recommend blocking NFS communications as a workaround while Apple releases an update patch.