Cybersecurity researchers from Intego are warning about possible active exploitation of an unpatched security vulnerability in Apple’s macOS Gatekeeper security feature details and PoC for which were publicly disclosed late last month.
Intego team last week discovered four samples of new macOS malware on VirusTotal that leverage the GateKeeper bypass vulnerability to execute untrusted code on macOS without displaying users any warning or asking for their explicit permission.
However, the newly discovered malware, dubbed OSX/Linker, has not been seen in the wild as of now and appears to be under development. Though the samples leverage unpatched Gatekeeper bypass flaw, it does not download any malicious app from the attacker’s server.
According to Joshua Long from Intego, until last week, the “malware maker was merely conducting some detection testing reconnaissance.”
“One of the files was signed with an Apple Developer ID (as explained below), it is evident that the OSX/Linker disk images are the handiwork of the developers of the OSX/Surfbuyer adware,” Long said in a blog post.
However, since the malware sample links to a remote server from where it downloads the untrusted app, attackers can also distribute same samples to real targeted by merely replacing the defined sample app with a malware app on their server.
images from Hacker News