Gatekeeper's Failure Once Again
"Even on a fully-patched OS X 10.11.2 system, Gatekeeper is trivial to bypass," Wardle wrote in a blog post. "So hackers can (re)start their trojan distributions while nation states can get back to MitM’ing HTTP downloads from the internet."
- Checking the initial digital certificate of a downloaded app
- Ensuring the app has been signed with an Apple-recognized developer certificate
- Ensuring the app has been originated from the official App Store
How to Bypass Gatekeeper in OS X?
- Identified an already-signed binary file (Binary A) that runs a separate app (Binary B) located in the same folder
- Renamed Binary A
- Swapped out the legitimate Binary B with a malicious one
- Then bundled malicious file in the same folder under the same file name, Binary B