Home Malware Programs Mac Malware OSX/Linker


Posted: June 26, 2019

OSX/Linker is a Trojan that bypasses security protocols for MacOS for executing code from a remote server. This functionality may facilitate the installation of other threats, with OSX/Linker's serving as the 'Trojan horse' delivery method. Users of Mac brand operating systems can protect themselves with additional anti-malware tools for deleting OSX/Linker on sight and avoiding clicking on suspicious files matching this threat's profile.

A Link that's Well-Hidden in Security Loopholes

'Zero-day' and unpatched vulnerabilities are among the worst security risks for any PC or smartphone own since installing patches does nothing other than provide a false sense of safety against them. Since May 2019 up to late June, Apple is sitting on a publicly-disclosed vulnerability without bothering to correct the issue with an update, while threat actors take advantage of the situation. The result is OSX/Linker, a Trojan that uses data-packaging and retrieval methods for slipping past built-in defenses.

OSX/Linker is a threat that can run arbitrary code with the likely possibility of downloading and installing other, persistent threats, such as backdoor Trojans, spyware or adware. Ordinarily, a Trojan downloader of this type is detectable by the macOS Gatekeeper system. However, OSX/Linker uses two easily-achievable anomalies in its structure for avoiding being flagged: by packing its code inside of a ZIP archive or an ISO or DMG disk image, and by using a symlink or symbolic link for contacting a remote, NFS server. The combination of obfuscation and indirect data calls lets OSX/Linker pass as being benign.

Although malware researchers see no evidence of attacks, with threat actors in the testing stages, OSX/Linker's samples show distinct connections to previous threat actors. OSX/Linker may have a future use as a dropper for OSX/SurfBuyer, an adware program for the same MacOS environments. However, its theoretical application has few limits.

Severing the Link Between Your Mac and Trojans

For now, the disguises that OSX/Linker samples use theme themselves after updates for Adobe's Flash. Updates for Flash, JavaScript, and other, media-related services are traditional tactics, through which criminals encourage victims into installing Trojans by mistake. Most users can avoid them easily by refusing any software updates that don't come from an official, company-endorsed link. Readers should note that many of these tests of the Trojan include hijacked digital certificates for misrepresenting the identity and safety of the file.

Since there is no patch for the Gatekeeper vulnerability, yet, all versions of MacOS are at risk from an OSX/Linker attack. Malware experts recommend installing additional security solutions with threat-detecting features for another layer of defense against any attacks. Anti-malware services rarely have issues with removing Trojan downloaders and should make catching and deleting OSX/Linker preemptively into a straightforward procedure.

Trojan developers don't need new tools of convenience in their hands, but the flaws of technology and its human engineers express themselves daily. When a Trojan like OSX/Linker appears that skips past one security feature, the only sensible response is erecting more security after that first gate.