According to an analysis from researchers at Intego, there is a new malware that Mac users have to contend with. Dubbed “OSX/Linker” by Intego researchers, the malware seeks to attack a zero-day involving macOS’ Gatekeeper protection. The zero-day, disclosed by Filippo Cavallarin on May 24, was reported to Apple but after they failed to fix the flaw — which they said they would do in 90 days — the researcher publicly disclosed it on his blog.
With this in mind, Intego describes in the following article excerpt the logistics of OSX/Linker and the danger it poses to Mac users:
By creating a symbolic link (or “symlink” —similar to an alias) to an app hosted on an attacker-controlled Network File System (NFS) server, and then creating a .zip archive containing that symlink and getting a victim to download it, the app would not be checked by Apple’s rudimentary XProtect bad-download blocker... Although Cavallarin’s vulnerability disclosure specifies a .zip compressed archive, the samples analyzed by Intego were actually disk image files. It seems that malware makers were experimenting to see whether Cavallarin’s vulnerability would work with disk images, too... By the time the disk images had been discovered and analyzed, the NFS server was no longer hosting the Mac app referenced by the disk images’ symlinks... It is possible that these disk images, or subsequent disk images, may have been used in small-scale or targeted attacks, but so far this remains unknown.
As this further proves, the myth that Mac is safer than PC is patently false. While there is no evidence yet of a broad-scale attack with OSX/Linker, it is clear that the developers behind the malware are constantly testing it and seeing how it can leverage the Gatekeeper zero-day. Intego researchers warn that there is a possibility that Mac users have been infected and should use their VirusBarrier Scanner, which identifies the presence of OSX/Linker in their machine.
There is no real way for home users to identify infection besides this, but Intego states that sys admins can check if machines connected via NFS ports to the IP address “126.96.36.199,” which is a possible indication of infection. Connections between the dates of May 24 and June 18 should be considered high priority.
Featured image: Shutterstock