Intego Security researcher, Joshua Long, has analyzed an OSX/Linker virus. It is being developed to target the recently discovered macOS Gatekeeper Security flaw. This vulnerability, disclosed by Filippo Cavallarin, allows a malicious binary downloaded from the Internet to bypass Gatekeeper’s Scanning process.
The researcher wrote upon his discovery in May, “On MacOS X version <= 10.14.5 (at time of writing) it is possible to easily bypass Gatekeeper in order to execute untrusted code without any warning or user’s explicit permission,”
For your information, it is in Gatekeeper’s design to accept both the external drives and network shares as safe location which allows apps to run smoothly. However, putting these two features, it is possible to deceive the GateKeeper.
How the vulnerability based attack work?
It is believed that the attackers crafted a zip file and send it to a targeted system. Users download it because of lack of knowledge. The researcher found that the GateKeeper couldn’t scan these files allowing users to execute malicious symlinks that allow attackers to run malicious code on the system.
At very beginning of June, the Intego’s malware researcher team discovered the vulnerability which was prepared to have been testing for infiltrating malware.
Although Cavallarin’s vulnerability disclosure specifies a .zip compressed archive, the samples analyzed by Intego were actually disk image files. It seems that malware makers were experimenting to see whether Cavallarin’s vulnerability would work with disk images, too.
This is remainder that the malware developers are trying to discover new methods to bypass the MacOS.