We’ve recently seen how ChatGPT was used to trick Mac users into installing MacStealer, and now a different tactic has been found to persuade users to install a version of MacSync Stealer.
The Mac remains a relatively difficult target for attackers thanks to Apple’s protections against the installation of malware. However, Mac malware is on the increase, and two recently-discovered tactics discovered by security researchers highlight the creative approaches some attackers are using …
There used to be two main reasons that Mac malware was relatively rare compared to that for Windows machines. The first, of course, was the relatively low market share of Macs. The second was the built-in protections Apple includes to detect and block rogue apps.
As Mac market share has grown, the appeal of the platform as a target has done the same, especially given that the Apple demographic makes Mac users a tempting target for financial scams in particular.
When you try to install a new Mac app, macOS checks that it has been notarized by Apple as having been signed by a known developer. If not, this fact will be flagged and macOS now makes it a relatively convoluted process to bypass the protection and install it anyway.
Earlier this month, we learned that attackers are using ChatGPT and other AI chatbots to trick Mac users into pasting a command line into Terminal, which then installs Macware. Cybersecurity company Jamf has now found an example of another approach being employed.
MacSync Stealer installer
Jamf says that the malware is a variant on the “increasingly active” MacSync Stealer malware.
Attackers use a Swift app which has been signed and notarized and does not in itself contain any malware. However, the app then retrieves an encoded script from a remote server, which is then executed to install the malware.
After inspecting the Mach-O binary, which is a universal build, we confirmed that it is both code signed and notarized. The signature is associated with the Developer Team ID GNJLS3UYZ4.
We also verified the code directory hashes against Apple’s revocation list, and at the time of analysis, none had been revoked […]
Most payloads related to MacSync Stealer tend to run primarily in memory and leave little to no trace on disk.
The company says that attackers are increasingly using this type of approach.
This shift in distribution reflects a broader trend across the macOS malware landscape, where attackers increasingly attempt to sneak their malware into executables that are signed and notarized, allowing them to look more like legitimate applications. By leveraging these techniques, adversaries reduce the chances of being detected early on.
Jamf says that it reported the developer ID to Apple and the company has now revoked the certificate.
9to5Mac’s Take
As always, the best protection against Mac malware is to install apps only from the Mac App Store and from the websites of developers you trust.
Highlighted accessories
- Official Apple Store on Amazon
- Apple 40W Dynamic Power Adapter for iPhone 17
- Official Apple iPhone Air cases and bumpers
- iPhone Air MagSafe Battery
- Official iPhone Air case
- Official iPhone 17 cases
- Official iPhone 17 Pro cases and Pro Max cases
FTC: We use income earning auto affiliate links. More.
Comments