New MacSync Stealer Exploits Signed macOS Apps to Evade Security and Exfiltrate Data
Cybersecurity researchers have recently identified an advanced variant of the MacSync malware that specifically targets macOS users. This iteration distinguishes itself by masquerading as a legitimately signed and notarized Apple application, effectively bypassing macOS’s Gatekeeper security mechanisms to steal sensitive user data.
Code-Signed Malware Bypasses Security
Jamf Threat Labs uncovered this evolved MacSync stealer, noting two significant technical advancements. Firstly, the malware now presents itself as a code-signed and notarized Swift application, aligning with Apple’s official programming language for macOS development. This strategic disguise enables the malware to evade detection by appearing as a trusted app from a verified developer.
Cybercriminals acquire legitimate developer certificates through various means, including theft, purchasing compromised developer accounts, or creating fake developer entities using fraudulent identities. By leveraging these certificates, MacSync circumvents macOS security warnings about unidentified developers, which would typically alert users to potential threats.
The new variant impersonates online messaging platforms, particularly targeting users interested in applications like zk-Call, an Estonia-based call and messenger service. This social engineering tactic increases the likelihood that victims will install the malicious software without suspicion.
Enhanced Functionality and Increased Threat
This version of MacSync represents a significant departure from its predecessors. Earlier variants were lightweight, running modular payloads directly in memory without a substantial disk footprint. However, Jamf researchers noted that this version features a substantial disk image of 25.5MB, suggesting enhanced functionality and embedded components.
MacSync poses serious threats to infected systems. The malware can install backdoors for remote system control, steal stored data and browser information, target cryptocurrency wallet credentials, and maintain persistent hidden access. Jamf identified focusgroovy[.]com as a command-and-control server used to fetch additional payloads, with web browsers now flagging the site for suspected phishing activity.
Distribution Methods and User Vigilance
While the exact distribution method remains unclear, potential infection vectors include malicious advertising campaigns, social media exploitation, search engine manipulation, and targeted spear-phishing attacks. Mac users should remain vigilant and avoid downloading applications from untrusted sources, even if they appear legitimately signed.
