Interestingly, Peter noticed the campaign coming from
homebrew.sh, leveraged adware payloads were actually completely notarized! 😱
We can confirm that the payloads have actually been notarized via
"source=Notarized Developer ID")[…]
As far as I know, this is a first: malicious code that gets Apple’s notarization “stamp of approval”.[…]
As mentioned, Apple (fast-ish) revoked the developer’s code signing certificate (s) which were used to sign the harmful payloads. This happened on Friday 28. August.
Interestingly, as of Sunday, August 30, the advertising campaign was still live and served new payloads. Unfortunately, these new payloads are (still) notarized[…]
This is disappointing, as OSX.Shlayer is said to be the “most common”
See also: Zack Whittaker, Thomas Reed, MacRumors, Lily Hay Newman, Nick Heer.
Stay up to date by subscribing to the RSS feed for comments for this post.