macOS DMG Disk Image Phishing

Timeline: The Cat and Mouse

2019 ← Attack emerges → 2022 ← Explodes → 2024 ← Defenses lag → Present

The Evolution

Key Events with Sources

Overview

macOS disk image (DMG) phishing mirrors the Windows ISO/IMG container technique but exploits macOS-specific user behaviors and security gaps. Attackers send emails containing links to DMG files hosted externally. When users download, mount, and run the application inside, they often bypass Gatekeeper by following social engineering instructions to right-click and “Open” unsigned apps.

The Attack

Why DMG Files?

DMG is the standard macOS software distribution format. Users are conditioned to:

1. Download .dmg files
2. Double-click to mount
3. Drag app to Applications (or double-click to run)

This familiarity is exploited—users don’t question DMG files the way they might question .exe files.

Attack Flow

┌─────────────────────────────────────────────────────────────┐
│  EMAIL                                                       │
│                                                              │
│  Subject: Updated Client Portal - Action Required            │
│                                                              │
│  Please download and install the updated client portal:      │
│  https://client-portal-update[.]com/ClientPortal.dmg         │
│                                                              │
│  [No attachment - link to external DMG]                      │
└─────────────────────────────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────────┐
│  USER DOWNLOADS DMG                                          │
│                                                              │
│  ~/Downloads/ClientPortal.dmg                                │
│  Extended attribute: com.apple.quarantine (set by browser)   │
└─────────────────────────────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────────┐
│  USER MOUNTS DMG                                             │
│                                                              │
│  /Volumes/ClientPortal/                                      │
│  ├── ClientPortal.app      ← Unsigned malicious app          │
│  └── README.txt            ← "Right-click > Open to install" │
└─────────────────────────────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────────┐
│  GATEKEEPER BLOCKS (First Attempt)                           │
│                                                              │
│  "ClientPortal.app" cannot be opened because it is from      │
│  an unidentified developer.                                  │
│                                                              │
│  [Move to Trash]  [Cancel]                                   │
└─────────────────────────────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────────┐
│  USER FOLLOWS INSTRUCTIONS (Right-click > Open)              │
│                                                              │
│  "ClientPortal.app" is from an unidentified developer.       │
│  Are you sure you want to open it?                           │
│                                                              │
│  [Cancel]  [Open]  ← User clicks Open                        │
└─────────────────────────────────────────────────────────────┘
                          │
                          ▼
              Malware executes with user privileges

Gatekeeper Bypass via Social Engineering

The key insight: Gatekeeper can always be bypassed by the user. Attackers simply instruct them how:

README.txt contents:

Installation Instructions:
--------------------------
If you see "cannot be opened" error:
1. Right-click (or Control-click) the application
2. Select "Open" from the menu
3. Click "Open" in the dialog

This is required for applications from verified partners.

Users trust these instructions because:

• They’ve encountered Gatekeeper legitimately before
• The workaround is well-known
• The lure seems professional

macOS Security Model

Quarantine Attribute:

$ xattr -l ~/Downloads/malware.dmg
com.apple.quarantine: 0083;65a1234b;Safari;12345678-1234-1234-1234-123456789ABC

This attribute:

• Set automatically by browsers, email clients, and AirDrop
• Triggers Gatekeeper check on first execution
• Survives copy operations (usually)

Gatekeeper Levels: | Setting | Allows | |———|——–| | App Store only | Only App Store apps | | App Store and identified developers | Signed + Notarized apps | | Anywhere (hidden) | Requires CLI to enable |

Default is “App Store and identified developers” - but right-click bypass works regardless.

MetaStealer Campaign

MetaStealer (2023-present) exemplifies this technique:

Delivery:

• Targets businesses via email
• Poses as client/vendor communication
• Links to DMG hosted on attacker infrastructure

Payload:

• Go-based infostealer
• Steals Keychain passwords
• Exfiltrates browser data, crypto wallets
• Targets Slack, Telegram credentials

DMG Contents:

/Volumes/MetaStealer-Lure/
├── Adobe Photoshop 2023.app    ← Malicious, icon matches real Photoshop
└── Install.txt                 ← Right-click bypass instructions

Other macOS Stealers Using DMG Delivery

The 2023 surge in macOS stealers directly correlates with increased enterprise macOS adoption.

Why Links Instead of Attachments?

Email Gateway Evasion:

• DMG attachments increasingly blocked
• Links to external hosting bypass attachment scanning
• Hosting on compromised legitimate sites adds reputation

Payload Flexibility:

• Update malware without resending emails
• A/B test different payloads
• Take down quickly if detected

Common Hosting:

• Compromised WordPress sites
• Cloud storage (Google Drive, Dropbox)
• Attacker-controlled lookalike domains
• CDN/file sharing services

Defenses

Gatekeeper and Notarization

What Gatekeeper Checks:

1. Code signature validity
2. Developer ID certificate status (not revoked)
3. Notarization ticket from Apple

Notarization (2019+):

• Developers submit apps to Apple for automated scanning
• Apple issues “ticket” if no malware detected
• Apps without notarization show strong warnings

Limitation: Users can still bypass with right-click > Open.

XProtect

Apple’s built-in malware signatures:

• Updated silently via background process
• Blocks known malware families
• Limited to signature-based detection

Limitation: New/obfuscated variants evade signatures.

Quarantine Enforcement

Ensure quarantine attributes propagate:

• Don’t disable Gatekeeper organization-wide
• Monitor for xattr -d com.apple.quarantine commands
• Some apps strip quarantine on extraction

MDM Controls

Enterprise management can:

• Enforce Gatekeeper settings
• Block unsigned app execution
• Whitelist only approved applications
• Alert on Gatekeeper bypass attempts

User Training

Critical points for macOS users:

• Legitimate software doesn’t need right-click bypass
• Verify downloads through official channels
• Be suspicious of DMG links in email
• Report requests to bypass security warnings

Attacker Adaptation

Signed Malware

Attackers obtain Apple Developer IDs:

• Stolen credentials
• Fraudulent registrations
• Purchased accounts

Signed malware passes Gatekeeper until Apple revokes the certificate.

Response: Apple revokes certificates, but there’s a window of exposure.

Notarization Abuse

Some attackers have successfully notarized malware:

• Apple’s automated scanning isn’t perfect
• Heavily obfuscated code may pass
• Apple revokes once discovered

Trojanized Legitimate Apps

Instead of obvious malware:

1. Take legitimate open-source app
2. Add malicious code
3. Repackage as DMG
4. Distribute via phishing

User gets working software + malware.

AppleScript Droppers

Instead of compiled apps:

/Volumes/Malicious/
├── Install.app                 ← AppleScript applet
└── .hidden/payload             ← Actual malware

AppleScript runs shell commands, downloads/executes payload.

Current State

Status: Active

macOS phishing via DMG continues to grow:

Platform Comparison

Detection Guidance

Email Indicators

Flag emails with:

• Links to DMG files (especially non-vendor domains)
• Software update themes targeting macOS users
• Instructions to bypass security warnings

Endpoint Detection

Process Monitoring:

# Suspicious: App launched from mounted DMG
process.executable.path CONTAINS "/Volumes/"
AND process.executable.path ENDS WITH ".app/Contents/MacOS/*"

Quarantine Bypass:

# User bypassed Gatekeeper
log show --predicate 'subsystem == "com.apple.launchservices"' | grep "override"

Unsigned App Execution:

# Apps without valid signatures
codesign -vv /path/to/suspicious.app 2>&1 | grep "not signed"

Network Indicators

• DMG downloads from non-standard sources
• POST requests shortly after DMG mount (C2 check-in)
• Exfiltration patterns (Keychain data, browser DBs)

SIEM Queries

event.type = "file_download"
AND file.extension = "dmg"
AND NOT url.domain IN (known_software_vendors)
AND user.email.received_recently = true

Response Actions

If DMG phishing suspected:

1. Isolate endpoint
2. Check for persistence (LaunchAgents, LaunchDaemons)
3. Review Keychain access logs
4. Check browser extension installations
5. Rotate credentials accessed from that machine
6. Image for forensics if stealer confirmed