CUPERTINO (Rixstep) — 'A macOS Gatekeeper vulnerability discovered by a security researcher last month has now been exploited in what appears to be a test by an adware company', reports 9to5Mac.
Actually the vulnerability wasn't discovered last month, but over ninety days ago.
'On MacOS X version <= 10.14.5 (at time of writing) it is possible to easily bypass Gatekeeper in order to execute untrusted code without any warning or user's explicit permission', writes Filippo Cavallarin in a 24 May update.
Cavallarin has a clip on YouTube that demonstrates how the exploit works.
Cavallarin first contacted Apple on 22 February of this year. Cavallarin says Apple acknowledged the issue. Cavallarin was led to believe the issue would be resolved, but he says that Apple began 'dropping' his email.
'Cavallarin acted responsibly in giving Apple 90 days to fix the vulnerability before disclosing it, but says that the company failed to do so and stopped responding to his emails', according to 9to5Mac.
Enter Intego
Security company Intego found an example of how the vulnerability is being exploited.
Calling it OSX/Linker, Intego discovered exploits using Apple's DMG file format instead of the ZIP format cited in Cavallarin's discussion. 'It seems that malware makers were experimenting to see whether Cavallarin's vulnerability would work with disk images', writes Joshua Long.
'The disk image files were either an ISO 9660 image with a .dmg file name, or an actual Apple Disk Image format .dmg file, depending on the sample.'
Intego observed four samples uploaded to VirusTotal on 6 June, all linking to one particular application on an Internet-accessible NFS server at 108.168.175.167.
The files were uploaded anonymously, according to Long. The sender IP of the first upload was in Israel, those of the three subsequent uploads were in the US. 'Since each successive file was uploaded a short time after each previous one, it seems reasonable to speculate that all four files may have been uploaded by the same person who forgot to mask the IP address after uploading the first sample', writes Long, who adds:
'Because one of the files was signed with an Apple Developer ID (as explained below) it is evident that the OSX/Linker disk images are the handiwork of the developers of the OSX/Surfbuyer adware.'
The NFS server in question is part of IBM Cloud.
Already Gone
The application referenced by the images is gone from the NFS server. Rather than being an attempt at an epidemic, it might have been part of a targeted attack, Long speculates. So was it really 'foul play'? Long explains.
'The disk images are disguised as Adobe Flash Player installers, which is one of the most common ways malware creators trick Mac users into installing malware.'
The fourth OSX/Linker disk image is code-signed by an Apple Developer ID - Mastura Fenny (2PVD64XRF3) - that has been used to sign literally hundreds of fake Flash Player files over the past 90 days.
Researcher Adam Thomas points out that it's possible to reconstruct the installer that was on the NFS server at the time: the app seems to have been a placeholder and little more, implying this run of the Gatekeeper hole was for testing purposes only. But as the app inside the images was dynamically linked, things could change at any time at server end.
Thomas and another researcher found the file Install.command on the NFS server which appends a text string to the same temporary text file.
#!/bin/bash
echo "VPNVPN" >> /tmp/out.txt
So?
Long begins his conclusion.
'Mac malware developers are actively experimenting with new ways of bypassing Apple's built-in protection mechanisms-and attackers are often successful in doing so.:
Then goes completely off the rails.
'Unfortunately, it's a myth that Macs are somehow inherently safer than Windows PCs.'
Perhaps it's just more wishful thinking on Intego's part. There's no doubt that the malware cottage industry would never have got off the ground without Windows. The slim pickings on Unix would never have been sufficiently attractive to the black hats.
Stockholm/London-based Rixstep are a constellation of programmers and support staff from Radsoft Laboratories who tired of Windows vulnerabilities, Linux driver issues, and cursing x86 hardware all day long. Rixstep have many years of experience behind their efforts, with teaching and consulting credentials from the likes of British Aerospace, General Electric, Lockheed Martin, Lloyds TSB, SAAB Defence Systems, British Broadcasting Corporation, Barclays Bank, IBM, Microsoft, and Sony/Ericsson.
Rixstep and Radsoft products are or have been in use by Sweden's Royal Mail, Sony/Ericsson, the US Department of Defense, the offices of the US Supreme Court, the Government of Western Australia, the German Federal Police, Verizon Wireless, Los Alamos National Laboratory, Microsoft Corporation, the New York Times, Apple Inc, Oxford University, and hundreds of research institutes around the globe. See here.