Home / Apple / Michael Tsai – Blog – Notarized Mac Malware

Michael Tsai – Blog – Notarized Mac Malware



Patrick Wardle:

Interestingly, Peter noticed the campaign coming from homebrew.sh, leveraged adware payloads were actually completely notarized! 😱

We can confirm that the payloads have actually been notarized via spctl command (note "source=Notarized Developer ID")[…]

As far as I know, this is a first: malicious code that gets Apple’s notarization “stamp of approval”.

[…]

As mentioned, Apple (fast-ish) revoked the developer’s code signing certificate (s) which were used to sign the harmful payloads. This happened on Friday 28. August.

Interestingly, as of Sunday, August 30, the advertising campaign was still live and served new payloads. Unfortunately, these new payloads are (still) notarized[…]

This is disappointing, as OSX.Shlayer is said to be the “most common”

; Mac malware, but still did not get notarized it. It is not clear if Apple finally managed to adapt, or if new binaries will still be approved at will. Perhaps the real benefit of notarization is not prevention, but rather that it allows related binaries to be found (because Apple can search in the previous filing) and is disabled earlier, before they have spread widely.

See also: Zack Whittaker, Thomas Reed, MacRumors, Lily Hay Newman, Nick Heer.

Former:

Code signing Mac macOS 10.15 Catalina Malware Notarization Security

Stay up to date by subscribing to the RSS feed for comments for this post.


Source link