A brand new model of MacSync Stealer malware is concentrating on macOS customers by means of digitally signed and notarized functions, marking a serious shift in how this menace is delivered.
In contrast to older variations that required customers to stick instructions into Terminal, this up to date variant operates silently within the background.
The malware comes disguised as a professional installer, distributed by means of a pretend web site below the identify zk-call-messenger-installer-3.9.2-lts.dmg.
As soon as put in, it downloads and runs a hidden script that steals delicate data from the sufferer’s pc.
The malware is packaged as a Swift software and signed with Apple’s Developer Workforce ID GNJLS3UYZ4, which permits it to bypass preliminary safety warnings that macOS often reveals for untrusted software program.
On the time researchers discovered it, Apple had not but revoked the certificates, which means the malware may set up with out triggering alerts. The disk picture file is unusually massive at 25.5MB as a result of it accommodates pretend PDF information associated to LibreOffice to make it look extra professional.
When uploaded to VirusTotal, some antivirus engines detected it as a generic downloader linked to cash or ooiid malware households.
Jamf analysts recognized this malware whereas checking their detection methods for uncommon exercise. They seen the malware didn’t comply with the standard patterns seen in earlier MacSync campaigns, which often relied on drag-to-terminal or ClickFix methods.
Obfuscated payload (Supply – Jamf)
This new method removes the necessity for consumer interplay with Terminal, making it a lot tougher for victims to understand they’re being attacked.
After confirming the menace, Jamf Risk Labs reported the malicious Developer Workforce ID to Apple, and the certificates has since been revoked.
Swift-Based mostly Execution and Payload Supply
The malware makes use of a Swift-built helper program referred to as runtimectl that handles your complete an infection course of. When this system begins, it checks if the pc has an web connection utilizing the checkInternet() perform.
Checking for web entry (Supply – Jamf)
If related, it proceeds to obtain the second-stage payload from hxxps://gatemaden[.]house/curl/985683bd660c0c47c6be513a2d1f0a554d52d241714bb17fb18ab0d0f8cc2dc6 utilizing a curl command.
The script is saved to /tmp/runner after which checked to ensure it’s a legitimate shell script by working /usr/bin/file –mime-type -b to verify it matches textual content/x-shellscript.
HTTP request (Supply – Jamf)
Earlier than working the payload, the malware removes the com.apple.quarantine flag utilizing removeQuarantine(at:) and units file permissions to 750 to make it executable.
It additionally creates log information at ~/Library/Logs/UserSyncWorker.log and monitoring information in ~/Library/Software Assist/UserSyncWorker/ to report exercise and forestall the malware from working too often.
A rate-limiting mechanism ensures the malware solely executes as soon as each 3600 seconds.
After the script runs, the /tmp/runner file is deleted to take away traces from the system, and the malware connects to focusgroovy[.]com to obtain further payloads and talk with its command-and-control server.
Comply with us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most well-liked Supply in Google.
