OSX/Linker: New zero-day malware targets Mac devices

According to an analysis from researchers at Intego, there is a new malware that Mac users have to contend with. Dubbed “OSX/Linker” by Intego researchers, the malware seeks to attack a zero-day involving macOS’ Gatekeeper protection. The zero-day, disclosed by Filippo Cavallarin on May 24, was reported to Apple but after they failed to fix the flaw — which they said they would do in 90 days — the researcher publicly disclosed it on his blog.

With this in mind, Intego describes in the following article excerpt the logistics of OSX/Linker and the danger it poses to Mac users:

By creating a symbolic link (or “symlink” —similar to an alias) to an app hosted on an attacker-controlled Network File System (NFS) server, and then creating a .zip archive containing that symlink and getting a victim to download it, the app would not be checked by Apple’s rudimentary XProtect bad-download blocker... Although Cavallarin’s vulnerability disclosure specifies a .zip compressed archive, the samples analyzed by Intego were actually disk image files. It seems that malware makers were experimenting to see whether Cavallarin’s vulnerability would work with disk images, too... By the time the disk images had been discovered and analyzed, the NFS server was no longer hosting the Mac app referenced by the disk images’ symlinks... It is possible that these disk images, or subsequent disk images, may have been used in small-scale or targeted attacks, but so far this remains unknown.

As this further proves, the myth that Mac is safer than PC is patently false. While there is no evidence yet of a broad-scale attack with OSX/Linker, it is clear that the developers behind the malware are constantly testing it and seeing how it can leverage the Gatekeeper zero-day. Intego researchers warn that there is a possibility that Mac users have been infected and should use their VirusBarrier Scanner, which identifies the presence of OSX/Linker in their machine.

There is no real way for home users to identify infection besides this, but Intego states that sys admins can check if machines connected via NFS ports to the IP address “,” which is a possible indication of infection. Connections between the dates of May 24 and June 18 should be considered high priority.

Featured image: Shutterstock

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

What are the potential disadvantages of SSL/TLS?

There’s wide consensus on the benefits of SSL/TLS. However, not as much attention has been given to SSL/TLS disadvantages.

1 day ago

Exploring native software inventory logging in Windows Server

Windows Server has built-software inventory logging that can be very useful. Here’s how to use this little-known feature.

1 day ago

Passwordless authentication: Safer, better, and about time

Passwordless authentication has quickly become one of the primary means by which users access their laptops, phones, and tablets because…

1 day ago

Automated Incident Response in Office 365 ATP simplifies cybersecurity

Microsoft has pumped up Office 365 Advanced Threat Protection with a new feature, Automated Incident Response. Here’s what you need…

2 days ago

IFA 2019: Smart TVs and even smarter wearables unveiled

What will be in your living room or on your wrist this year? It may very likely be one of…

2 days ago

Consider these SD-WAN technologies for faster, more reliable networking

As virtualization becomes a major part of organizations’ infrastructure, these SD-WAN technologies provide faster and more reliable networking solutions.

2 days ago