OSX/Linker Malware, A Weaponized Unpatched Security Bug

We rarely feature a story about MacOS security here in Hackercombat.com, as the platform is not really attractive for hackers to target. MacOS with its BSD underpinnings and minority market share compared to Redmond’s operating system we all call Windows, make it very unproductive for virus authors to bother with. However, from time-to-time, a prominent malware the Mac will reach the IT sphere of discussion, as it is rare to be seen in the wild. Every MacOS malware that made public becomes a headline in no time.

Such time has come, as Intego, a MacOS-based security-focused developer has exposed that the MacOS Gatekeeper bug was weaponized by hackers, infecting vulnerable Macs by OSX/Linker malware. Headed by Joshua Long, the Intego team started the research with the GateKeeper Bypass bug as presented publicly by Filippo Cavallarin last May 24, 2019. Gatekeeper is MacOS’ official filter for downloaded apps, it is a system service that automatically denies execution of downloaded apps if it does not have a valid digital signature. Or if the downloaded app resembles malware-like behavior as defined by Apple.

The bug was reported to Apple last Feb 22, and Cupertino explained to Cavallarin that the bug will be fixed within a period of 90-days, a standard in the reasonable disclosure principle that the entire Tech Industry respects. However, an unfortunate event happened, Apple has not patched the problem within the 90-day window, hence Cavallarin believes it is about time to expose the bug publicly.

“Early last week, Intego’s malware research team discovered the first known attempts to leverage Cavallarin’s vulnerability, which seem to have been used—at least at first—as a test in preparation for distributing malware. Although Cavallarin’s vulnerability disclosure specifies a .zip compressed archive, the samples analyzed by Intego were actually disk image files,” explained Joshua Long. He believes that the people behind OSX/Linker is trying to test if the vulnerability can also be exploited through disk images in ISO 9960 (a standard CD image using a .dmg extension) or a native Apple .dmg disk image. The .dmg extension is used to full the user into believing it is an Apple-specific disk image, instead of a regular CD image that often uses a .iso file extension.

“Because one of the files was signed with an Apple Developer ID (as explained below), it is evident that the OSX/Linker disk images are the handiwork of the developers of the OSX/Surfbuyer adware. As for the NFS server, its IP address (see the “Indicators of compromise” section below) is owned by Softlayer, now part of IBM Cloud,” added Long.

At the time of this writing, the hosting page where the IP address belongs can no longer be reached. Which according to Long may mean the hosting provider deliberately shut down the service or the virus authors themselves took it down to buy more time and hide their true identities.

“So how can one be certain that the app was malicious? There are a number of clear indicators of foul play. The disk images are disguised as Adobe Flash Player installers, which is one of the most common ways malware creators trick Mac users into installing malware,” said Long. The malware also piggybacks as a legitimately-looking Flash player file, and its authenticity has been digitally signed by a certain Mastura Fenny, a valid Apple Development ID. Long stressed that the Apple Development ID is now in the process of official revocation by Apple.

Also, Read

MacOS Malware Steals Bank Account Logins & Intellectual Property