OSX/Linker: New zero-day malware targets Mac devices

According to an analysis from researchers at Intego, there is a new malware that Mac users have to contend with. Dubbed “OSX/Linker” by Intego researchers, the malware seeks to attack a zero-day involving macOS’ Gatekeeper protection. The zero-day, disclosed by Filippo Cavallarin on May 24, was reported to Apple but after they failed to fix the flaw — which they said they would do in 90 days — the researcher publicly disclosed it on his blog.

With this in mind, Intego describes in the following article excerpt the logistics of OSX/Linker and the danger it poses to Mac users:

By creating a symbolic link (or “symlink” —similar to an alias) to an app hosted on an attacker-controlled Network File System (NFS) server, and then creating a .zip archive containing that symlink and getting a victim to download it, the app would not be checked by Apple’s rudimentary XProtect bad-download blocker... Although Cavallarin’s vulnerability disclosure specifies a .zip compressed archive, the samples analyzed by Intego were actually disk image files. It seems that malware makers were experimenting to see whether Cavallarin’s vulnerability would work with disk images, too... By the time the disk images had been discovered and analyzed, the NFS server was no longer hosting the Mac app referenced by the disk images’ symlinks... It is possible that these disk images, or subsequent disk images, may have been used in small-scale or targeted attacks, but so far this remains unknown.

As this further proves, the myth that Mac is safer than PC is patently false. While there is no evidence yet of a broad-scale attack with OSX/Linker, it is clear that the developers behind the malware are constantly testing it and seeing how it can leverage the Gatekeeper zero-day. Intego researchers warn that there is a possibility that Mac users have been infected and should use their VirusBarrier Scanner, which identifies the presence of OSX/Linker in their machine.

There is no real way for home users to identify infection besides this, but Intego states that sys admins can check if machines connected via NFS ports to the IP address “,” which is a possible indication of infection. Connections between the dates of May 24 and June 18 should be considered high priority.

Featured image: Shutterstock

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Managing Azure firewall and virtual networks with PowerShell

Here’s how to manage firewall and virtual networks in a Storage Account and how to use Azure Automation to enforce…

11 hours ago

Microsoft exposed 250 million users’ private records in December

Microsoft exposed roughly 250 million customer service and support records last month. While the company says it secured all servers,…

16 hours ago

Keep a lid on your AWS cloud goodies with breach and attack simulation

If you store business data in the AWS cloud, you need to secure it against unauthorized access. A breach and…

19 hours ago

Amazon SES unveils new Bring Your Own IP feature

You’ve heard of Bring Your Own Device, and now there’s Bring Your Own IP. Here’s a look at this useful…

1 day ago

Why API security is becoming the next big challenge

The shift to REST APIs has an unintended consequence for DevOps: new attack vectors. A security expert walks us through…

2 days ago

Can ‘silent meetings’ solve your IT planning woes?

Companies are adopting the concept of silent meetings as a way to make business meetings more productive. Does this work?

2 days ago