{"id":88354,"date":"2019-06-24T09:34:19","date_gmt":"2019-06-24T16:34:19","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=88354"},"modified":"2019-07-01T00:07:53","modified_gmt":"2019-07-01T07:07:53","slug":"osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/","title":{"rendered":"OSX\/Linker: New Mac malware attempts zero-day Gatekeeper bypass"},"content":{"rendered":"<p><img loading=\"lazy\" class=\"aligncenter size-full wp-image-88381\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/red-link-in-chain-OSX-Linker-600x300.jpg\" alt=\"\" width=\"600\" height=\"300\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/red-link-in-chain-OSX-Linker-600x300.jpg 600w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/red-link-in-chain-OSX-Linker-600x300-150x75.jpg 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/red-link-in-chain-OSX-Linker-600x300-300x150.jpg 300w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/>Last week, Intego researchers discovered new Mac malware, <strong>OSX\/Linker<\/strong>, that attempts to leverage a recently disclosed zero-day flaw in macOS&#8217; Gatekeeper protection.<\/p>\n<p>Let&#8217;s examine what we know about this latest Mac malware campaign.<\/p>\n<h3>What is the back story?<\/h3>\n<p><img loading=\"lazy\" class=\"alignright size-thumbnail wp-image-61210\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/01\/gatekeeper-both-gates-open-146x150.jpg\" alt=\"\" width=\"146\" height=\"150\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/01\/gatekeeper-both-gates-open-146x150.jpg 146w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/01\/gatekeeper-both-gates-open.jpg 201w\" sizes=\"(max-width: 146px) 100vw, 146px\" \/>Before digging into the <strong>OSX\/Linker<\/strong> malware, it would be helpful, for context, to discuss the &#8220;MacOS X GateKeeper Bypass&#8221; vulnerability that was <a href=\"https:\/\/www.fcvl.net\/vulnerabilities\/macosx-gatekeeper-bypass\" target=\"_blank\" rel=\"noopener\">publicly disclosed<\/a> by Filippo Cavallarin on May 24.\u00a0<a href=\"https:\/\/www.intego.com\/mac-security-blog\/topic\/gatekeeper\/\" target=\"_blank\" rel=\"noopener\">Gatekeeper<\/a> is a technology included in macOS that is supposed to check apps downloaded from the Internet\u00a0for either a revoked developer signature, or for certain specific malware that Apple chooses to detect, before allowing an app to run.<\/p>\n<p><strong>The more technical explanation:<\/strong> Cavallarin noted that macOS treats apps loaded from a network share differently than apps downloaded from the Internet. By creating a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Symbolic_link\" target=\"_blank\" rel=\"noopener\">symbolic link<\/a> (or &#8220;symlink&#8221;\u2014similar to an alias) to an app hosted on an attacker-controlled\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Network_File_System\" target=\"_blank\" rel=\"noopener\">Network File System<\/a> (NFS) server, and then creating a .zip archive containing that symlink and getting a victim to download it, the app would not be checked by Apple&#8217;s rudimentary <a href=\"https:\/\/www.intego.com\/mac-security-blog\/how-the-anti-malware-function-in-apples-snow-leopard-works\/\" target=\"_blank\" rel=\"noopener\">XProtect<\/a> bad-download blocker.<\/p>\n<p><strong>The simpler explanation:<\/strong> This trick makes it easier for malware to infect a Mac\u2014even if Apple has a built-in signature that&#8217;s supposed to protect your Mac from that malware.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe loading=\"lazy\" class=\"youtube-player\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/m74cpadIPZY?version=3&#038;rel=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;fs=1&#038;hl=en-US&#038;autohide=2&#038;wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation\"><\/iframe><\/span><\/p>\n<p style=\"text-align: center;\"><span style=\"font-size: small;\">Cavallarin demonstrates the Gatekeeper bypass<\/span><\/p>\n<p>Cavallarin says that he reported the vulnerability to Apple on February 22, and Apple told him that the issue would be fixed within 90 days\u2014but Apple missed its deadline, and Cavallarin believed that Apple was no longer responding to his e-mails, so he released his findings publicly via his blog.<\/p>\n<h3>What is OSX\/Linker?<\/h3>\n<p>Early last week, Intego&#8217;s malware research team discovered the first known attempts to leverage Cavallarin&#8217;s vulnerability, which seem to have been used\u2014at least at first\u2014as a test in preparation for distributing malware.<\/p>\n<p><img loading=\"lazy\" class=\"alignright size-thumbnail wp-image-88399\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/macOS-disk-image-dmg-iso-icon-150x150.png\" alt=\"\" width=\"150\" height=\"150\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/macOS-disk-image-dmg-iso-icon-150x150.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/macOS-disk-image-dmg-iso-icon-300x300.png 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/macOS-disk-image-dmg-iso-icon-768x768.png 768w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/macOS-disk-image-dmg-iso-icon-657x657.png 657w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/macOS-disk-image-dmg-iso-icon-32x32.png 32w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/macOS-disk-image-dmg-iso-icon-50x50.png 50w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/macOS-disk-image-dmg-iso-icon-64x64.png 64w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/macOS-disk-image-dmg-iso-icon-96x96.png 96w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/macOS-disk-image-dmg-iso-icon-128x128.png 128w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/macOS-disk-image-dmg-iso-icon.png 1024w\" sizes=\"(max-width: 150px) 100vw, 150px\" \/>Although Cavallarin&#8217;s vulnerability disclosure specifies a .zip compressed archive, the samples analyzed by Intego were actually disk image files.\u00a0It seems that malware makers were experimenting to see whether Cavallarin&#8217;s vulnerability would work with disk images, too.<\/p>\n<p>The disk image files were either an ISO 9660 image with a .dmg file name, or an actual Apple Disk Image format .dmg file, depending on the sample. Normally, an ISO image has a .iso or .cdr file name extension, but .dmg (Apple Disk Image) files are much more commonly used to distribute Mac software. (Incidentally, several other Mac malware samples have recently been using the ISO format, possibly in a weak attempt to avoid detection by anti-malware software.)<\/p>\n<p>Intego observed <a href=\"https:\/\/www.virustotal.com\/gui\/ip-address\/108.168.175.167\/relations\" target=\"_blank\" rel=\"noopener\">four samples<\/a> that were uploaded to VirusTotal\u00a0on June 6, seemingly within hours of the creation of each disk image, that all linked to one particular application on an Internet-accessible NFS server.<\/p>\n<h3>Who created OSX\/Linker disk images?<\/h3>\n<p>Each of the four files was uploaded anonymously, meaning the user was not signed into a VirusTotal account.<\/p>\n<p>The first file was uploaded by someone who was either located in Israel, or who was masking their IP address to appear to be in Israel.<\/p>\n<p>The next three samples\u2014the first of which was uploaded just seven minutes after the sample from Israel\u2014were uploaded by a single anonymous user who appeared to be in the United States. Since each successive file was uploaded a short time after each previous one, it seems reasonable to speculate that all four files may have been uploaded by the same person, who forgot to mask his or her IP address until after uploading the first sample.<\/p>\n<p>Because one of the files was signed with an Apple Developer ID (as explained below), it is evident that the <strong>OSX\/Linker<\/strong> disk images are the handiwork of the developers of the\u00a0<strong>OSX\/Surfbuyer<\/strong> adware.<\/p>\n<p>As for the NFS server, its IP address (see the &#8220;Indicators of compromise&#8221; section below) is owned by <a href=\"http:\/\/www.softlayer.com\" target=\"_blank\" rel=\"noopener\">Softlayer<\/a>, now part of IBM Cloud. It seems that the app that was hosted there has been taken down, but it&#8217;s unclear whether it was removed voluntarily or was removed by the hosting company. However, while it is not clear whether the same person who uploaded the app may still have control over the NFS server, fragments of related files do still exist on the server.<\/p>\n<h3>Was this malware &#8220;in the wild&#8221;?<\/h3>\n<p>By the time the disk images had been discovered and analyzed, the NFS server was no longer hosting the Mac app referenced by the disk images&#8217; symlinks. It is not clear whether any of these specific disk images were ever part of an in-the-wild malware campaign. It is possible that these disk images, or subsequent disk images, may have been used in small-scale or targeted attacks, but so far this remains unknown.<\/p>\n<p>Given that the NFS server was no longer hosting an app at the time the disk images were analyzed, this means that a sample of the app itself could not be obtained for analysis. So how can one be certain that the app was malicious? There are a number of clear indicators of foul play. The disk images are disguised as Adobe Flash Player installers, which is one of the most common ways malware creators trick Mac users into installing malware. The fourth <strong>OSX\/Linker<\/strong>\u00a0disk image is code-signed by an Apple Developer ID\u2014Mastura Fenny (2PVD64XRF3)\u2014that has been used to sign <strong>literally hundreds of fake Flash Player files<\/strong> over the past 90 days, associated with the <strong>OSX\/Surfbuyer<\/strong> adware family.<\/p>\n<div id=\"attachment_88393\" style=\"width: 2084px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-88393\" loading=\"lazy\" class=\"size-full wp-image-88393\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/378-files-signed-by-Mastura-Fenny-2PVD64XRF3.jpg\" alt=\"Hundreds of fake Flash files have been signed by &quot;Mastura Fenny.&quot;\" width=\"2074\" height=\"833\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/378-files-signed-by-Mastura-Fenny-2PVD64XRF3.jpg 2074w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/378-files-signed-by-Mastura-Fenny-2PVD64XRF3-150x60.jpg 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/378-files-signed-by-Mastura-Fenny-2PVD64XRF3-300x120.jpg 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/378-files-signed-by-Mastura-Fenny-2PVD64XRF3-768x308.jpg 768w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/378-files-signed-by-Mastura-Fenny-2PVD64XRF3-1024x411.jpg 1024w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/378-files-signed-by-Mastura-Fenny-2PVD64XRF3-657x264.jpg 657w\" sizes=\"(max-width: 2074px) 100vw, 2074px\" \/><p id=\"caption-attachment-88393\" class=\"wp-caption-text\">Hundreds of fake Flash files have been signed by &#8220;Mastura Fenny.&#8221;<\/p><\/div>\n<p>Intego reported the Developer ID to Apple, and at the time of publication Apple was in the process of revoking the developer&#8217;s certificate.<\/p>\n<p><strong>Update: <\/strong>Threat researcher <a href=\"https:\/\/twitter.com\/adamt5Six\" target=\"_blank\" rel=\"noopener\">Adam Thomas<\/a> observed that VirusTotal&#8217;s behavioral analysis of two <strong>OSX\/Linker<\/strong> samples included PCAP (network packet capture) files, from which it is possible to reconstruct the version of the Install.app that was on the NFS server at the time of the analysis. At the time, the app seemed to be a placeholder that did not do much other than create a temporary text file:<\/p>\n<pre>#!\/bin\/bash\r\n\r\necho \"BAHSS\" &gt;&gt; \/tmp\/out.txt<\/pre>\n<div id=\"attachment_88411\" style=\"width: 700px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-88411\" loading=\"lazy\" class=\"size-full wp-image-88411\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/OSX-Linker-Install-app-pcap-screenshots.png\" alt=\"\" width=\"690\" height=\"322\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/OSX-Linker-Install-app-pcap-screenshots.png 690w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/OSX-Linker-Install-app-pcap-screenshots-150x70.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/OSX-Linker-Install-app-pcap-screenshots-300x140.png 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/OSX-Linker-Install-app-pcap-screenshots-657x307.png 657w\" sizes=\"(max-width: 690px) 100vw, 690px\" \/><p id=\"caption-attachment-88411\" class=\"wp-caption-text\">Reconstructions of an Install.app placeholder. Credit: Thomas<\/p><\/div>\n<p>This seems consistent with the theory that the malware maker was merely conducting some detection testing reconnaissance. However, because the .app inside the disk images is dynamically linked, it could change on the server side at any time\u2014without the disk image needing to be modified at all. Thus, it&#8217;s possible that the same disk images (or newer versions that were never uploaded to VirusTotal) could later have been used to distribute an app that actually executed malicious code on a victim&#8217;s Mac.<\/p>\n<p>An anonymous researcher also pointed out, and Thomas likewise observed, that although an &#8220;Installer.app&#8221; is no longer on the NFS server, a file called Install.command can currently be found there. If executed, the shell script would similarly just append a string to the same temporary text file:<\/p>\n<pre>#!\/bin\/bash\r\n\r\necho \"VPNVPN\" &gt;&gt; \/tmp\/out.txt<\/pre>\n<h3>What should Mac users learn from this?<\/h3>\n<p>Mac malware developers are actively experimenting with new ways of bypassing Apple&#8217;s built-in protection mechanisms\u2014and attackers are often successful in doing so.<\/p>\n<p>Unfortunately, <a href=\"https:\/\/www.itspmagazine.com\/from-the-newsroom\/sorry-its-a-myth-that-macs-are-more-secure-than-pcs\" target=\"_blank\" rel=\"noopener\">it&#8217;s a myth<\/a> that Macs are somehow inherently safer than Windows PCs. Within the past month alone, there have been <a href=\"https:\/\/www.intego.com\/mac-security-blog\/mac-malware-on-the-rise-again-several-new-threats-found\/\" target=\"_blank\" rel=\"noopener\">several new Mac malware campaigns<\/a> aside from <strong>OSX\/Linker<\/strong>. Therefore, Mac users would be wise to take steps to actively protect themselves from malware threats.<\/p>\n<p><strong>Update:<\/strong> Intego has discovered yet another new variety of Mac malware: <a href=\"https:\/\/www.intego.com\/mac-security-blog\/osx-crescentcore-mac-malware-designed-to-evade-antivirus\/\" target=\"_blank\" rel=\"noopener\">OSX\/CrescentCore: Mac malware designed to evade antivirus<\/a><\/p>\n<h3>Is my Mac infected?<\/h3>\n<p>Users of Intego VirusBarrier X9 (part of Intego&#8217;s\u00a0<a href=\"https:\/\/www.intego.com\/mac-protection-bundle\" target=\"_blank\" rel=\"noopener\">Mac Premium Bundle X9<\/a>\u00a0suite) or\u00a0<a href=\"https:\/\/www.intego.com\/business\/flextivity-secure\" target=\"_blank\" rel=\"noopener\">Flextivity<\/a>\u00a0will be notified if a related file is found on their Mac; it will be detected as\u00a0<strong>OSX\/Linker<\/strong>.<\/p>\n<p><strong>If you aren&#8217;t a VirusBarrier X9 user<\/strong>\u00a0yet, and if you think your Mac might be infected, you can scan your Mac with <a href=\"https:\/\/www.intego.com\/virusbarrier-scanner\" target=\"_blank\" rel=\"noopener\">VirusBarrier Scanner<\/a> (available for <a href=\"https:\/\/itunes.apple.com\/us\/app\/virusbarrier-scanner\/id1200445649\" target=\"_blank\" rel=\"noopener\">free<\/a> on the Mac App Store) to check for any infections. After you scan your Mac, your best bet to prevent future infections is to <a href=\"https:\/\/www.intego.com\/buynow\" target=\"_blank\" rel=\"noopener\">get VirusBarrier X9<\/a>, which includes <a href=\"https:\/\/www.intego.com\/mac-security-blog\/why-your-antivirus-needs-real-time-scanning\/\" target=\"_blank\" rel=\"noopener\">real-time scanning<\/a> functionality\u2014a critical feature to block malware before it can harm your Mac.<\/p>\n<h3>Indicators of compromise<\/h3>\n<p>If you&#8217;re a systems administrator and want to check for potentially infected Macs on your network, you can check whether any Macs connected to the following IP address over NFS ports (e.g. TCP or UDP ports 111 or 875, or TCP port 2049) between May 24 and June 18:<\/p>\n<pre>108.168.175 .167<\/pre>\n<p>More broadly, if you know that your users should never need to connect to public-facing NFS servers, you can look for indications of recent connections to any non-private IP address on NFS ports, as a means of potentially finding other variations of the attack.<\/p>\n<p>If you discover a Mac that seems to have connected to that IP address between those dates, or if you believe you&#8217;ve found evidence of a similar attack, please <a href=\"https:\/\/support.intego.com\/hc\/en-us\/requests\/new\" target=\"_blank\" rel=\"noopener\">contact Intego support<\/a> so we can work with you to investigate further.<\/p>\n<h3>Potential mitigations of Cavallarin&#8217;s vulnerability<\/h3>\n<p>Network administrators who know that their users will never need to connect to a public NFS server can lock down their network to prevent NFS communications with external IP addresses.<\/p>\n<p>For home users, unfortunately there isn&#8217;t a simple solution for preventing this type of attack, until or unless Apple releases a macOS security update to mitigate the vulnerability. Cavallarin describes a possible temporary mitigation (opening <code>\/etc\/auto_master<\/code> in a text editor and adding <code>#\u00a0<\/code> to the beginning of the line that starts with <code>\/net<\/code>). Modifying system configuration files is something that only experienced and knowledgeable users should consider attempting.<\/p>\n<h3>How can I learn more?<\/h3>\n<p><a href=\"https:\/\/podcasts.apple.com\/us\/podcast\/intego-mac-podcast\/id1293834627\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" class=\"alignright size-thumbnail wp-image-71818\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-150x150.png\" alt=\"\" width=\"50\" height=\"50\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-150x150.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-32x32.png 32w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-50x50.png 50w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-64x64.png 64w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-96x96.png 96w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-128x128.png 128w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile.png 300w\" sizes=\"(max-width: 50px) 100vw, 50px\" \/><\/a>We talked about <strong>OSX\/Linker<\/strong>\u00a0and <a href=\"https:\/\/www.intego.com\/mac-security-blog\/mac-malware-on-the-rise-again-several-new-threats-found\/\" target=\"_blank\" rel=\"noopener\">other recent malware<\/a> on <a href=\"http:\/\/podcast.intego.com\/88\" target=\"_blank\" rel=\"noopener\">episode 88<\/a> of the <strong>Intego Mac Podcast<\/strong>\u2014be sure to <a href=\"https:\/\/podcasts.apple.com\/us\/podcast\/intego-mac-podcast\/id1293834627\" target=\"_blank\" rel=\"noopener\">subscribe<\/a> to make sure you don&#8217;t miss any episodes. You&#8217;ll also want to subscribe to our <strong>e-mail newsletter<\/strong> and keep an eye here on <strong>The Mac Security Blog<\/strong> for the latest Apple security and privacy news.<\/p>\n<p>You can also follow Intego on your favorite social and media channels: <a href=\"https:\/\/www.facebook.com\/Intego\" target=\"_blank\" rel=\"noopener\">Facebook<\/a>, <a href=\"https:\/\/www.instagram.com\/intego_security\/\" target=\"_blank\" rel=\"noopener\">Instagram<\/a>, <a href=\"https:\/\/twitter.com\/IntegoSecurity\" target=\"_blank\" rel=\"noopener\">Twitter<\/a>, and <a href=\"https:\/\/www.youtube.com\/user\/IntegoVideo?sub_confirmation=1\" target=\"_blank\" rel=\"noopener\">YouTube<\/a>\u00a0(click the ?\u00a0to get notified about new videos).<\/p>\n<p><span style=\"font-size: x-small;\">Image of metal chain with red link by <a href=\"http:\/\/www.ccpixs.com\/ccimages\/3d-strongest-link\/1022\/\" target=\"_blank\" rel=\"noopener\">ccPixs.com<\/a>; <a href=\"https:\/\/creativecommons.org\/licenses\/by\/3.0\/deed.en_US\" target=\"_blank\" rel=\"noopener\">CC BY 3.0<\/a>.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last week, Intego researchers discovered new Mac malware, OSX\/Linker, that attempts to leverage a recently disclosed zero-day flaw in macOS&#8217; Gatekeeper protection. Let&#8217;s examine what we know about this latest Mac malware campaign. What is the back story? Before digging into the OSX\/Linker malware, it would be helpful, for context, to discuss the &#8220;MacOS X [&hellip;]<\/p>\n","protected":false},"author":14,"featured_media":88384,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190],"tags":[2500,4492],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<meta name=\"description\" content=\"Last week, Intego researchers discovered new Mac malware, OSX\/Linker, that attempts to leverage a recently disclosed zero-day flaw in macOS&#039; Gatekeeper\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"OSX\/Linker: New Mac malware attempts zero-day Gatekeeper bypass - The Mac Security Blog\" \/>\n<meta property=\"og:description\" content=\"Last week, Intego researchers discovered new Mac malware, OSX\/Linker, that attempts to leverage a recently disclosed zero-day flaw in macOS&#039; Gatekeeper\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/\" \/>\n<meta property=\"og:site_name\" content=\"The Mac Security Blog\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/JoshLong\" \/>\n<meta property=\"article:published_time\" content=\"2019-06-24T16:34:19+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-07-01T07:07:53+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/red-link-in-chain-OSX-Linker-400x260.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"400\" \/>\n\t<meta property=\"og:image:height\" content=\"260\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@theJoshMeister\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Joshua Long\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\",\"name\":\"Intego\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"sameAs\":[],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"width\":875,\"height\":875,\"caption\":\"Intego\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"name\":\"The Mac Security Blog\",\"description\":\"Keep Macs safe from the dangers of the Internet\",\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/red-link-in-chain-OSX-Linker-400x260.jpg\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/red-link-in-chain-OSX-Linker-400x260.jpg\",\"width\":400,\"height\":260},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#webpage\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/\",\"name\":\"OSX\/Linker: New Mac malware attempts zero-day Gatekeeper bypass - The Mac Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#primaryimage\"},\"datePublished\":\"2019-06-24T16:34:19+00:00\",\"dateModified\":\"2019-07-01T07:07:53+00:00\",\"description\":\"Last week, Intego researchers discovered new Mac malware, OSX\/Linker, that attempts to leverage a recently disclosed zero-day flaw in macOS' Gatekeeper\",\"breadcrumb\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.intego.com\/mac-security-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"OSX\/Linker: New Mac malware attempts zero-day Gatekeeper bypass\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#webpage\"},\"author\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1\"},\"headline\":\"OSX\/Linker: New Mac malware attempts zero-day Gatekeeper bypass\",\"datePublished\":\"2019-06-24T16:34:19+00:00\",\"dateModified\":\"2019-07-01T07:07:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#webpage\"},\"wordCount\":1706,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/red-link-in-chain-OSX-Linker-400x260.jpg\",\"keywords\":[\"Gatekeeper\",\"OSX\/Linker\"],\"articleSection\":[\"Malware\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#respond\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1\",\"name\":\"Joshua Long\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g\",\"caption\":\"Joshua Long\"},\"description\":\"Joshua Long (@theJoshMeister), formerly Intego\\u2019s Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master\\u2019s degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple\\u00a0ID authentication vulnerability. Josh has conducted cybersecurity research for well over 25 years, which is often featured by major news outlets worldwide. Keep up with Josh via X\/Twitter, LinkedIn, Facebook, Instagram, YouTube, Patreon, Mastodon, the JoshMeister on Security, and more. \\u2014\",\"sameAs\":[\"https:\/\/security.thejoshmeister.com\",\"https:\/\/www.facebook.com\/JoshLong\",\"https:\/\/www.instagram.com\/thejoshmeister\/\",\"https:\/\/www.linkedin.com\/in\/thejoshmeister\",\"https:\/\/www.pinterest.com\/thejoshmeister\/\",\"https:\/\/twitter.com\/theJoshMeister\",\"https:\/\/www.youtube.com\/@theJoshMeister\"],\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/author\/joshlong\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"description":"Last week, Intego researchers discovered new Mac malware, OSX\/Linker, that attempts to leverage a recently disclosed zero-day flaw in macOS' Gatekeeper","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/","og_locale":"en_US","og_type":"article","og_title":"OSX\/Linker: New Mac malware attempts zero-day Gatekeeper bypass - The Mac Security Blog","og_description":"Last week, Intego researchers discovered new Mac malware, OSX\/Linker, that attempts to leverage a recently disclosed zero-day flaw in macOS' Gatekeeper","og_url":"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/","og_site_name":"The Mac Security Blog","article_author":"https:\/\/www.facebook.com\/JoshLong","article_published_time":"2019-06-24T16:34:19+00:00","article_modified_time":"2019-07-01T07:07:53+00:00","og_image":[{"width":400,"height":260,"url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/red-link-in-chain-OSX-Linker-400x260.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_creator":"@theJoshMeister","twitter_misc":{"Written by":"Joshua Long","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization","name":"Intego","url":"https:\/\/www.intego.com\/mac-security-blog\/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","width":875,"height":875,"caption":"Intego"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo"}},{"@type":"WebSite","@id":"https:\/\/www.intego.com\/mac-security-blog\/#website","url":"https:\/\/www.intego.com\/mac-security-blog\/","name":"The Mac Security Blog","description":"Keep Macs safe from the dangers of the Internet","publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#primaryimage","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/red-link-in-chain-OSX-Linker-400x260.jpg","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/red-link-in-chain-OSX-Linker-400x260.jpg","width":400,"height":260},{"@type":"WebPage","@id":"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#webpage","url":"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/","name":"OSX\/Linker: New Mac malware attempts zero-day Gatekeeper bypass - The Mac Security Blog","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#primaryimage"},"datePublished":"2019-06-24T16:34:19+00:00","dateModified":"2019-07-01T07:07:53+00:00","description":"Last week, Intego researchers discovered new Mac malware, OSX\/Linker, that attempts to leverage a recently disclosed zero-day flaw in macOS' Gatekeeper","breadcrumb":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.intego.com\/mac-security-blog\/"},{"@type":"ListItem","position":2,"name":"OSX\/Linker: New Mac malware attempts zero-day Gatekeeper bypass"}]},{"@type":"Article","@id":"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#article","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#webpage"},"author":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1"},"headline":"OSX\/Linker: New Mac malware attempts zero-day Gatekeeper bypass","datePublished":"2019-06-24T16:34:19+00:00","dateModified":"2019-07-01T07:07:53+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#webpage"},"wordCount":1706,"commentCount":2,"publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/red-link-in-chain-OSX-Linker-400x260.jpg","keywords":["Gatekeeper","OSX\/Linker"],"articleSection":["Malware"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intego.com\/mac-security-blog\/osx-linker-new-mac-malware-attempts-zero-day-gatekeeper-bypass\/#respond"]}]},{"@type":"Person","@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1","name":"Joshua Long","image":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g","caption":"Joshua Long"},"description":"Joshua Long (@theJoshMeister), formerly Intego\u2019s Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master\u2019s degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple\u00a0ID authentication vulnerability. Josh has conducted cybersecurity research for well over 25 years, which is often featured by major news outlets worldwide. Keep up with Josh via X\/Twitter, LinkedIn, Facebook, Instagram, YouTube, Patreon, Mastodon, the JoshMeister on Security, and more. \u2014","sameAs":["https:\/\/security.thejoshmeister.com","https:\/\/www.facebook.com\/JoshLong","https:\/\/www.instagram.com\/thejoshmeister\/","https:\/\/www.linkedin.com\/in\/thejoshmeister","https:\/\/www.pinterest.com\/thejoshmeister\/","https:\/\/twitter.com\/theJoshMeister","https:\/\/www.youtube.com\/@theJoshMeister"],"url":"https:\/\/www.intego.com\/mac-security-blog\/author\/joshlong\/"}]}},"jetpack_featured_media_url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/red-link-in-chain-OSX-Linker-400x260.jpg","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4VAYd-mZ4","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/88354"}],"collection":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/comments?post=88354"}],"version-history":[{"count":14,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/88354\/revisions"}],"predecessor-version":[{"id":88639,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/88354\/revisions\/88639"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media\/88384"}],"wp:attachment":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media?parent=88354"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/categories?post=88354"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/tags?post=88354"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}