EXECUTIVE SUMMARY
Researchers have seen a rise in macOS attacks where attackers use real Developer ID signatures to sign malicious disk images. These signed DMGs look legitimate to macOS checks and common scanners, so they often go unnoticed during initial delivery. The installers are spread through phishing pages and compromised sites that pretend to offer normal apps. One sample used a signer name as its bundle identifier to blend in with real software. Even though the signing credentials are revoked after the samples are reported, that revocation often happens too late to stop the first wave of infections.
The main point is simple: attackers are buying or obtaining trusted signing materials to make their downloads look real and to slip past basic checks. The attack starts with a signed DMG that runs an AppleScript when mounted. The script uses a shell command to download and run an installer script from a remote site. That script fetches an ARM64 payload which then writes a LaunchAgent file into the user LaunchAgents folder, so the malware restarts at login. Because the DMG and the contained binary are signed with a valid Developer ID, Gatekeeper and some automatic scans do not flag the files, letting the installer run without alerts. The payload–s code contains hardcoded links to the download host, making the chain simple: signed container → downloader script → architecture-specific binary → persistence via LaunchAgent Revoking the signing identity stops new signed builds but does not remove already installed malware.
This campaign shows attackers will pay for trust to get quick access to systems. By using valid signing materials, they reduce the chance of detection during distribution and rely on users or scanners to accept signed software. Revocation helps but is reactive and often arrives after initial installs succeed. The takeaway is that signature validity alone is not a full guarantee of safety, and these attacks highlight the limits of relying only on signing checks to decide if software is safe.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Resource Development | T1588.003 | Obtain Capabilities | Code Signing Certificates |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Initial Access | T1204.002 | User Execution | Malicious File |
| Execution | T1059.002 | Command and Scripting Interpreter | AppleScript |
| Execution | T1569.001 | System Services | Launchctl |
| Persistence | T1543.001 | Create or Modify System Process | Launch Agent |
| Defense Evasion | T1553.002 | Subvert Trust Controls | Code Signing |
| Command & Control | T1105 | Ingress Tool Transfer | – |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
|---|---|---|
| Defense Evasion | F0016 | Install Certificate |
| Execution | E1204 | User Execution |
| Anti-Static Analysis | B0032.018 | Symbol Obfuscation |
| Command and Control | C0002.002 | HTTP Communication (Client) |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Anti-Behavioral Analysis | B0007.003 | Human User Check |
| Lateral Movement | E1105 | Ingress Tool Transfer |
REFERENCES:
The following reports contain further
https://cybersecuritynews.com/hackers-abuse-ev-certificates/
https://x.com/g0njxa/status/1973076165846839511