A sophisticated new variant of the MacSync Stealer malware is posing a significant threat to macOS users by leveraging digitally signed and notarized applications, a departure from previous, more easily detectable delivery methods. This evolution allows the malware to bypass initial macOS security measures, making it much stealthier.
Security researchers at Jamf Threat Labs have identified this advanced threat that operates silently in the background, unlike older versions that required direct user interaction with the Terminal. The malware is distributed disguised as a legitimate installer, often found on fake websites offering applications like “zk-call-messenger-installer-3.9.2-lts.dmg.” Once installed, it stealthily extracts sensitive data from compromised macOS systems.
MacSync Stealer Evolves with Digital Signatures
The new iteration of MacSync Stealer is packaged as a Swift application and is notably signed with Apple’s Developer Team ID, GNJLS3UYZ4. This digital signature allows the application to bypass the standard security warnings that macOS normally presents for untrusted software. At the time of its discovery, the certificate had not yet been revoked by Apple, meaning the malicious software could be installed without triggering any alerts for the end-user. The disk image file associated with this malware is unusually large, approximately 25.5MB, a tactic employed to include seemingly legitimate dummy PDF files related to LibreOffice, enhancing its appearance of authenticity.
Upon analysis by security firms, some antivirus engines detected the threat as a generic downloader associated with coinminers or other malware families. Jamf analysts originally identified this malicious campaign while monitoring their detection systems for anomalous activity. They observed that this new variant deviated significantly from earlier MacSync campaigns, which commonly relied on techniques such as “drag-to-terminal” or “ClickFix” tactics. This refined approach eliminates the need for explicit user interaction with the command line, making it considerably harder for individuals to recognize they are under attack.
Following the confirmation of the threat, Jamf Threat Labs promptly reported the malicious Developer Team ID to Apple. Consequently, the certificate has since been revoked, which should help prevent future instances of this specific digitally signed malware from being installed.
Swift-Based Execution and Payload Delivery
The infection process is managed by a Swift-built helper program named `runtimectl`. This program initiates the malware’s operations and first verifies the presence of an active internet connection using a function labeled `checkInternet()`. If an internet connection is detected, the malware proceeds to download its second-stage payload from a remote server, specifically targeting the URL hxxps://gatemaden[.]space/curl/985683bd660c0c47c6be513a2d1f0a554d52d241714bb17fb18ab0d0f8cc2dc6. This downloaded script is saved to the `/tmp/runner` directory.
Before executing the downloaded script, the malware performs a check to ensure it is a valid shell script by utilizing the command `/usr/bin/file –mime-type -b`, confirming its MIME type matches `text/x-shellscript`. Subsequently, it removes the `com.apple.quarantine` flag using the `removeQuarantine(at:)` function, which is crucial for bypassing Gatekeeper protections. File permissions are then adjusted to 750, making the script executable. To maintain persistence and prevent rapid re-infection, the malware creates log files located at `~/Library/Logs/UserSyncWorker.log` and tracking files within `~/Library/Application Support/UserSyncWorker/`. These mechanisms also implement a rate-limiting feature, ensuring the malware only executes its primary functions once every hour (3600 seconds).
Once the script has completed its execution, the `/tmp/runner` file is deleted to remove any residual traces from the compromised system. The malware then establishes communication with its command-and-control (C2) server by connecting to `focusgroovy[.]com`, where it can download additional malicious payloads or receive further instructions.
The ongoing evolution of malware delivery methods, particularly the use of legitimate-looking, digitally signed applications, highlights the increasing sophistication of cyber threats targeting macOS. Users are advised to remain vigilant, ensure their operating systems and security software are up-to-date, and exercise caution when downloading and installing applications from unverified sources. The revocation of the certificate marks a critical step in mitigating this specific threat, but the underlying attack vector necessitates continuous monitoring and proactive defense strategies from both users and security vendors.