By 
Mac researchers have revealed a new malware program intended to precisely exploit a lately divulged zero-day bypass flaw in macOS X Gatekeeper, which has yet to be repaired.
Accoridng to Joshua Long, chief security analyst at Integoin, the malware, which is named OSX/Linker, seems to be created by the same developers behind OSX/Surfbuyer, an adware program that also targets Mac users.
Gatekeeper is a feature that implements code signing and confirms downloaded applications before they run on a system.
Nevertheless, on May 24, independent researcher Filippo Cavallarin openly revealed that actors could snitch malevolent apps past Gatekeeper’s protections by hosting these apps on an attacker-controlled Network File System (NFS) server, then producing an emblematic link (aka symlink) to that app, and then misleading prospective victims into downloading a .zip archive comprising that symlink.
This hoax works because macOS presumes that apps loaded from a network share and external drives – contrary the internet – are harmless to run.
Intego researchers found four samples of OSX/Linker uploaded to VirusTotal on June 6. But rather than using a .zip archive containing a symlink, the developers instead chose to use disk image files camouflaged as Adobe Flash Player installers, maybe to find out if the exploit would still work. All four samples were related to an app hosted on an internet-accessible NFS server owned by Softlayer (part of IBM Cloud).
For reasons not known yet, the app has since been removed. Nevertheless, additional inquiry exposed that the app seemed to be “a placeholder that did not do much other than create a temporary text file,” Long said. For this reason, Intego researchers believe that at the time of detection, the developers possibly “were merely conducting some detection testing reconnaissance.” Nevertheless, the threat could have become graver had the developers swapped the harmless app with something nastier.
Each VirusTotal sample was uploaded within hours of the formation of its corresponding disk image, which, depending on the sample, was either an ISO 966- image with a .dmg file name or an actual Apple Disk Image format .dmg file. The disk images were found impersonating Adobe Flash Player installers – a common disguise used in malware schemes.
“It is not clear whether any of these specific disk images were ever part of an in-the-wild malware campaign,” Long reported. “It is possible that these disk images, or subsequent disk images, may have been used in small-scale or targeted attacks, but so far this remains unknown.”
