New Mac Malware Exploits GateKeeper Bypass Bug that Apple Left Unpatched [thehackernews]
by CIRT Team
Cybersecurity researchers from Intego are warning about possible active exploitation of an unpatched security vulnerability in Apple’s macOS Gatekeeper security feature details and PoC for which were publicly disclosed late last month.
Intego team last week discovered four samples of new macOS malware on VirusTotal that leverage the GateKeeper bypass vulnerability to execute untrusted code on macOS without displaying users any warning or asking for their explicit permission.
However, the newly discovered malware, dubbed OSX/Linker, has not been seen in the wild as of now and appears to be under development. Though the samples leverage unpatched Gatekeeper bypass flaw, it does not download any malicious app from the attacker’s server.
According to Joshua Long from Intego, until last week, the “malware maker was merely conducting some detection testing reconnaissance.”
“One of the files was signed with an Apple Developer ID (as explained below), it is evident that the OSX/Linker disk images are the handiwork of the developers of the OSX/Surfbuyer adware,” Long said in a blog post.
However, since the malware sample links to a remote server from where it downloads the untrusted app, attackers can also distribute same samples to real targeted by merely replacing the defined sample app with a malware app on their server.
macOS Gatekeeper Bypass Vulnerability
GateKeeper is a security feature built into Apple macOS that enforces code signing and verifies downloaded applications before allowing them to run, helping users protect their systems from malware and other malicious software.
That means, if you download an application from the Internet, GateKeeper will only allow it to execute without any warnings if it has been signed with a valid Apple-issued certificate, otherwise will prompt you to allow or deny the execution.
For more, click here.