Last month, an Italian researcher publicly disclosed a Mac vulnerability that allowed for attackers to lure users to locations that were loaded with malicious code waiting to be executed on the targeted device and was not previously verified by Gatekeeper. When the PoC code was initially sent to Apple in February, no immediate actions were taken, but when version 10.14.4 of Mojave was released in March, they claimed to have repaired Gatekeeper. However, this was found to be untrue as further tests were run and proved the vulnerability to still be executable. It would not be long before an attacker took advantage of the problem by creating a malware that would cater to the flaw. Earlier this month, a veteran Apple researcher discovered samples of the OSX/Linker malware which lets us know it’s past it’s testing and payload refinement stages. Certificates that were previously used by the known Surfbuyer adware group are used to sign the OSX/Linker malware. It also uses a modified version of the PoC as well as disk images files and Adobe Flash Player installers. Although disk images have no longer been seen, this does not mean very low scale distribution campaigns are not going on. Apple seems to be slacking a bit on this issue because the samples that were looked at received a signature from a compromised Apple Developer ID which has yet to be repealed.
Users are suggested to disable the automount functionality on their system, which would greatly reduce the risk of the malicious images being uploaded to their device. Another suggestion is to lock down the network to halt NFS communications with external IP’s.