MacSync Stealer Malware Exploits Digitally Signed Apps to Target macOS Users
A new iteration of the MacSync Stealer malware is actively targeting macOS users by leveraging digitally signed and notarized applications, marking a significant evolution in its delivery method. Unlike its predecessors, which required users to manually input commands into the Terminal, this updated variant operates covertly, minimizing user interaction and increasing the likelihood of successful infection.
Deceptive Distribution Tactics
The malware is disseminated through a counterfeit website, presenting itself as a legitimate installer named `zk-call-messenger-installer-3.9.2-lts.dmg`. Upon installation, it clandestinely downloads and executes a hidden script designed to exfiltrate sensitive information from the victim’s system.
Exploiting Apple’s Security Framework
This variant is packaged as a Swift application and signed with Apple’s Developer Team ID GNJLS3UYZ4. This digital signature allows the malware to bypass macOS’s Gatekeeper security feature, which typically warns users about untrusted software. At the time of discovery, the certificate had not been revoked, enabling the malware to install without triggering security alerts. The disk image file is notably large, approximately 25.5MB, containing decoy PDF files related to LibreOffice to enhance its legitimacy.
Detection and Analysis
Upon submission to VirusTotal, several antivirus engines identified the file as a generic downloader associated with the coins or ooiid malware families. Jamf analysts detected this malware variant while monitoring their detection systems for anomalous activity. They observed that this version deviated from previous MacSync campaigns, which often relied on user interaction with the Terminal or employed ClickFix techniques. This new approach eliminates the need for such interactions, making it more challenging for victims to recognize the attack.
Technical Execution and Payload Delivery
The malware utilizes a Swift-based helper program named `runtimectl` to manage the infection process. Upon execution, it checks for an active internet connection using the `checkInternet()` function. If a connection is available, it proceeds to download a secondary payload from a remote server using a `curl` command. The script is saved to `/tmp/runner` and verified to ensure it is a valid shell script by checking its MIME type.
Before execution, the malware removes the `com.apple.quarantine` attribute to prevent macOS from flagging the file as potentially unsafe. It then sets the file’s permissions to 750, making it executable. To maintain persistence and avoid detection, the malware creates log files at `~/Library/Logs/UserSyncWorker.log` and tracking files in `~/Library/Application Support/UserSyncWorker/`. A rate-limiting mechanism ensures the malware executes only once every 3600 seconds. After execution, the `/tmp/runner` file is deleted to minimize traces on the system. The malware also communicates with a command-and-control server to download additional payloads and receive further instructions.
Implications and Recommendations
The emergence of this MacSync Stealer variant underscores the evolving tactics of cybercriminals targeting macOS users. By exploiting digitally signed applications, the malware effectively bypasses traditional security measures, highlighting the need for enhanced vigilance.
Preventive Measures:
1. Verify Application Sources: Always download software from official and reputable sources. Be cautious of applications from unfamiliar websites, even if they appear legitimate.
2. Regular Software Updates: Keep your operating system and all installed applications up to date to benefit from the latest security patches.
3. Security Software: Utilize reputable antivirus and anti-malware solutions that offer real-time protection and regular updates.
4. Monitor System Activity: Regularly review system logs and monitor for unusual activity, such as unexpected network connections or unauthorized file modifications.
5. Educate Users: Raise awareness about phishing tactics and the importance of scrutinizing software sources before installation.
By implementing these measures, users can significantly reduce the risk of infection from malware like the MacSync Stealer and enhance their overall cybersecurity posture.
