Three months ago, a vulnerability was discovered in the Gatekeeper function, which is supposed to protect macOS from potentially harmful software. It didn't take long for the first attempts at abuse to appear.
However, security expert Filippo Cavallarin has uncovered a problem with the app's signature check itself. Indeed, the authenticity check can be completely bypassed in a certain way.
In its current form, Gatekeeper considers external drives and network storage as "secure locations". This means that it allows any application to run in these locations without checking again. This way, the user can be easily tricked into unknowingly mounting a shared drive or storage. Anything in that folder is then easily bypassed by Gatekeeper.
In other words, a single signed application can quickly open the way for many other, unsigned ones. Cavallarin dutifully reported the security flaw to Apple and then waited 90 days for a response. After this period, he is entitled to publish the error, which he eventually did. No one from Cupertino responded to his initiative.
The first attempts to exploit the vulnerability lead to DMG files
Meanwhile, security firm Intego has uncovered attempts to exploit exactly this vulnerability. Late last week, the malware team discovered an attempt to distribute the malware using the method described by Cavallarin.
The bug originally described used a ZIP file. The new technique, on the other hand, tries its luck with a disk image file.
The disk image was either in ISO 9660 format with a .dmg extension, or directly in Apple's .dmg format. Commonly, an ISO image uses the extensions .iso, .cdr, but for macOS, .dmg (Apple Disk Image) is much more common. It is not the first time that malware tries to use these files, apparently to avoid anti-malware programs.
Intego captured a total of four different samples captured by VirusTotal on June 6th. The difference between the individual findings was in the order of hours, and they were all connected by a network path to the NFS server.
OSX/Surfbuyer adware disguised as Adobe Flash Player
Experts managed to find that the samples are strikingly similar to the OSX/Surfbuyer adware. This is adware malware that annoys users not only while browsing the web.
The files were disguised as Adobe Flash Player installers. This is basically the most common way developers try to convince users to install malware on their Mac. The fourth sample was signed by the developer account Mastura Fenny (2PVD64XRF3), which has been used for hundreds of fake Flash installers in the past. They all fall under OSX/Surfbuyer adware.
So far, the captured samples have done nothing but temporarily create a text file. Because the applications were dynamically linked in the disk images, it was easy to change the server location at any time. And that without having to edit the distributed malware. It is therefore likely that the creators, after testing, have already programmed "production" applications with contained malware. It no longer had to be caught by the VirusTotal anti-malware.
Intego reported this developer account to Apple to have its certificate signing authority revoked.
For added security, users are advised to install apps primarily from the Mac App Store and to think about their origin when installing apps from external sources.
Petr Škuta 
Amaya Toman 
Daniel Hruska 