Cybersecurity researchers from Intego, a software designer specializing in security solutions for Mac systems, have issued a warning regarding an unpatched security vulnerability in Apple's macOS Gatekeeper security feature details and PoC for which first announced in May of this year.
Last week, Intego's team discovered four samples of new macOS malware on VirusTotal that penetrated the GateKeeper bypass vulnerability and was able to execute malicious code on macOS without displaying any warning or asking for users for their permission prior to installation.
The newly discovered malware, dubbed OSX/Linker, has not yet resulted in a major outbreak and appears to still be under development at this point. The samples seem to leverage unpatched Gatekeeper bypass flaws, but isn't downloading malicious apps from the attacker's server at this juncture.
Gatekeeper is a mechanism developed by Apple and included in MacOS X since 2012. It's purpose is to enforce code signing and to verify the safety of downloaded applications before allowing them to run.
Just how exactly does this infect your MAC?
MacOS treats applications loaded from a network share differently than apps downloaded from the Internet. OSX/Linker creates a symbolic link or "symlink," which is tantamount to an an alias for the files from an app hosted on an attacker-controlled Network File System (NFS) server. After creating a .zip archive containing that symlink and getting a victim to download it, the app would not trigger a default check by Apple's XProtect bad-download blocker.
In other words, this method makes it easier for malware to infect a Mac, despite Apple's built-in signature that's supposed to protect your Mac from that malware.