On April 26th, Apple published an update to macOS patching a security vulnerability disclosed to them by Security Researcher Cedric Owens. The vulnerability bypasses Gatekeeper checks by utilizing stolen Apple Developer IDs, which were used to sign the malware. By signing the malware with these legitimate Apple certificates, the attackers can bypass all quarantine and security mechanisms that would normally prevent installation and execution. Attackers have already taken advantage of this vulnerability across multiple samples studied by Jamf and Patrick Wardle, with the final payload being Shlayer, a common loader for macOS.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is