Last week, Intego researchers discovered new Mac malware, OSX/Linker, that attempts to leverage a recently disclosed zero-day flaw in macOS’ Gatekeeper protection.
Before digging into the OSX/Linker malware, it would be helpful, for context, to discuss the “MacOS X GateKeeper Bypass” vulnerability that was publicly disclosed by Filippo Cavallarin on May 24. Gatekeeper is a technology included in macOS that is supposed to check apps downloaded from the Internet for either a revoked developer signature, or for certain specific malware that Apple chooses to detect, before allowing an app to run… Cavallarin says that he reported the vulnerability to Apple on February 22, and Apple told him that the issue would be fixed within 90 days—but Apple missed its deadline, and Cavallarin believed that Apple was no longer responding to his e-mails, so he released his findings publicly via his blog.
Early last week, Intego’s malware research team discovered the first known uses of Cavallarin’s vulnerability, which seem to have been used — at least at first — as a test in preparation for distributing malware… The disk images are disguised as Adobe Flash Player installers, which is one of the most common ways malware creators trick Mac users into installing malware. The fourth OSX/Linker disk image is code-signed by an Apple Developer ID—Mastura Fenny (2PVD64XRF3)—that has been used to sign literally hundreds of fake Flash Player files over the past 90 days, associated with the OSX/Surfbuyer adware family.
MacDailyNews Take: Ugh. The sooner Apple plugs this one, the better!