Notice the SKID mismatch, i.e. the SKID from the code signature used by the attacker differs from the original certificate by the Transmission developer.
Notice the bogey RTF file, which is actually an executable part of the ransomware scheme.
Compare the main executable code signature (added by attacker) with the other signature (original by Mozilla), i.e. this is a legit app bundle within a malware app bundle to fool the user.
Notice the bogey script file, which starts the download of the cryptominer malware.
Please note that the security assessment using spctl can still accept a codesigning certificate, while the more up-to-date verification with security already shows it as revoked.
Notice that there is no CRL (certificate revocation list) for Apple System signatures (leaf certificate: "Software Signing"), so let's hope none of Apple's private codesigning keys ever get leaked.
Notice that the main code signature is unchanged: the SKID comparison shows a match.
Note that some developers erroneously set the executable bits on files that do not need it; this really messes things up, and wys scans will take longer in these cases.
