Hackers subvert MacOS Gatekeeper security to infect systems with malware

News by Rene Millman

Apple was alerted about the MacOS Gatekeeper security flaw on 22 February, but the issue was not fixed despite promising action within 90 days, says researcher

Security researchers have discovered that hackers have been using a  zero-day flaw in macOS' Gatekeeper to infect Macs with malware. The attempt was to leverage a vulnerability that was publicly disclosed by  security researcher Filippo Cavallarin on 24 May, said a blog post by security software company Intego.

Cavallarin's vulnerability enables an attacker to gain access to systems by tricking it using a symbolic link (or "symlink"—similar to an alias) to an app hosted on an attacker-controlled Network File System (NFS) server, and then creating a .zip archive containing that symlink and getting a victim to download it. The app would not be checked by Apple's rudimentary XProtect bad-download blocker.

Researchers at Intego said the first known attempts to leverage Cavallarin's vulnerability, as a test for distributing malware, was detected last week.

Cavallarin says that he reported the vulnerability to Apple on 22 February, and Apple told him that the issue would be fixed within 90 days—but Apple missed its deadline, and Cavallarin believed that Apple was no longer responding to his e-mails, so he released his findings publicly via his blog.

"Although Cavallarin's vulnerability disclosure specifies a .zip compressed archive, the samples analysed by Intego were actually disk image files. It seems that malware makers were experimenting to see whether Cavallarin's vulnerability would work with disk images, too," said researchers.

The disk image files were either an ISO 9660 image with a .dmg file name, or an actual Apple Disk Image format .dmg file, depending on the sample. Normally, an ISO image has a .iso or .cdr file name extension, but .dmg (Apple Disk Image) files are much more commonly used to distribute Mac software. (Incidentally, several other Mac malware samples have recently been using the ISO format, possibly in a weak attempt to avoid detection by anti-malware software.)

Researchers said that Mac malware developers are actively experimenting with new ways of bypassing Apple's built-in protection mechanisms—and attackers are often successful in doing so.

"Unfortunately, it's a myth that Macs are somehow inherently safer than Windows PCs. Within the past month alone, there have been several new Mac malware campaigns (more on that in an upcoming article). Therefore, Mac users would be wise to take steps to actively protect themselves from malware threats," researchers warned.

Jake Moore, cyber-security specialist at ESET, told SC Media UK that this malware is clever enough to even trick the operating system’s own Gatekeeper program, which is predominantly made to keep such threats out of Mac’s ecosystem. 

"Although the fix isn’t out yet, the best thing users can really do here is simply just make sure they are running Mac antivirus software. Sadly, a large number of people still don’t have any protection for their Mac as many people believe that they are immune to malware which potentially makes them far more at risk. All files unknown to your machine should still be passed through a file scanner and be very cautious of downloading anything where you are unsure of its origin," he said.

Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that as Macs become more popular in the enterprise, it is only natural that criminals will go after it. 

"In many cases, organisations can better protect their workforce not necessarily thorough technical controls, but through a mix of procedural and people controls," he said.

"Ensuring users don't download and attempt to run untrusted applications can go a long way In preventing infections. When we look at the majority of breaches - regardless of the OS - it can be attributed to human error. Therefore, having a better-trained and security-aware workforce can go a long way In thwarting attacks."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews