EV Certificates Exploited to Distribute Malware via macOS DMGs

Security analysts have recently detected a wave of attacks targeting macOS systems, leveraging legitimately issued Extended Validation (EV) certificates to sign malicious disk images (DMGs). This technique exploits the inherent trust associated with EV certificates to bypass macOS's native security checks, such as Gatekeeper, which typically verify the integrity and authenticity of software. EV certificates are high-assurance certificates that undergo rigorous identity verification before issuance. They are commonly used in HTTPS to establish trust. However, in this campaign, attackers are using these certificates to sign malicious DMGs, making them appear trustworthy to both users and security mechanisms. This approach highlights a sophisticated method of malware distribution, as it requires obtaining legitimate EV certificates. The implications of this attack vector are significant. The misuse of EV certificates undermines the trust model that these certificates are meant to uphold. Traditional security mechanisms that rely on certificate validation may fail to detect these malicious files, necessitating enhanced verification processes. Organizations may need to implement additional verification steps beyond just checking the validity of the certificate. From an expert perspective, Certificate Authorities (CAs) need to be more vigilant in issuing EV certificates and monitor for any suspicious activity related to their certificates. Users should be educated about the risks of trusting files solely based on their digital signatures. Security tools need to be updated to detect and block such sophisticated attacks, possibly by analyzing the content of the DMGs rather than just their signatures. In terms of actionable intelligence, organizations should implement monitoring for unusual activities related to the use of EV certificates. Incident response plans should include revoking compromised EV certificates and investigating the source of the certificates. Regular training sessions for users to recognize and report suspicious activities, even if the files appear to be signed by trusted entities, are also crucial.