The below is collection of the some of the recent samples collected from Swiss campaigns targeting OSX victims.
The payloads are being signed with developer certificates presumably either stolen which enable them to bypass the macOS security feature known as Gatekeeper, it's not clear how these accounts are being used or if they are using pseudonyms to prevent suspicion below are some samples. You can use the codesign command with relevant parameters to identify the signed status of the app bundle
All macOS apps need a manifest file known as a info.plist file which includes the MachineOSBuild as a tag, which in this case was 13F1911 which is commonly known as OSX Mavericks, which means it was likely a Virtual Machine or the developer has an older OS
The samples are UPX packed
I've just uploaded one single sample for researchers to analyse, however, Apple is actively investigating the misuse of these certificates.
- 11/05 notify Apple Security
- 13/05 confirmed incident with Apple Security
- 17/05 shared developer identities with Apple