An unpatched vulnerability, discovered in macOS Mojave last month, permits attackers to completely bypass the Gatekeeper security feature. Unfortunately, it’s now been exploited by an adware company in what’s been called a test in preparation of new Mac malware.
For context, researcher Filippo Cavallarin recently discovered (and reported to Apple) a security oversight in the macOS Mojave operating system that would permit a rogue app to bypass Gatekeeper protections. The vulnerability takes advantage of the fact that Gatekeeper considers external drives and network shares as safe locations, allowing malware to be launched from these locations without Gatekeeper’s intervention.
Security researchers over at Intego now point us to four disk images, disguised as Adobe Flash Player installers, that were uploaded by an adware firm to VirusTotal. Intego researchers claim this is a test in preparation for distributing new Mac malware, called OSX/Linker, that attempts to leverage the aforementioned zero-day flaw in macOS’ Gatekeeper protection.
The four samples, uploaded on June 6 within hours of the creation of each disk image, all link to a now-removed app on an Internet-accessible NFS server.
Intego notes that the dynamically linked Install.app seemed to be a placeholder that did not do much other than create a temporary text file, but that could easily change on the server side at any time without the disk image needing to be modified at all.
Intego says it is therefore possible that the same or newly-uploaded disk images could later have been used to distribute an app that actually executed malicious code on a victim’s Mac.
One of the files was signed with an Apple Developer ID, suggesting the test was created by the developers of the OSX/Surfbuyer adware. The jury is still out as to whether these disk images, or subsequent ones, may have been used in small-scale or targeted attacks.