We’ve recently seen how ChatGPT was used to trick Mac users into installing MacStealer, and now a different tactic has been found to persuade users to install a version of MacSync Stealer.
The Mac remains a relatively difficult target for attackers thanks to Apple’s protections against the installation of malware. However, Mac malware is on the increase, and two recently-discovered tactics discovered by security researchers highlight the creative approaches some attackers are using …
There used to be two main reasons that Mac malware was relatively rare compared to that for Windows machines. The first, of course, was the relatively low market share of Macs. The second was the built-in protections Apple includes to detect and block rogue apps.
As Mac market share has grown, the appeal of the platform as a target has done the same, especially given that the Apple demographic makes Mac users a tempting target for financial scams in particular.
When you try to install a new Mac app, macOS checks that it has been notarized by Apple as having been signed by a known developer. If not, this fact will be flagged and macOS now makes it a relatively convoluted process to bypass the protection and install it anyway.
Earlier this month, we learned that attackers are using ChatGPT and other AI chatbots to trick Mac users into pasting a command line into Terminal, which then installs Macware. Cybersecurity company Jamf has now found an example of another approach being employed.
MacSync Stealer installer
Jamf says that the malware is a variant on the “increasingly active” MacSync Stealer malware.
Attackers use a Swift app which has been signed and notarized and does not in itself contain any malware. However, the app then retrieves an encoded script from a remote server, which is then executed to install the malware.
After inspecting the Mach-O binary, which is a universal build, we confirmed that it is both code signed and notarized. The signature is associated with the Developer Team ID GNJLS3UYZ4. We also verified the code directory hashes against Apple’s revocation list, and at the time of analysis, none had been revoked […] Most payloads related to MacSync Stealer tend to run primarily in memory and leave little to no trace on disk.
... continue reading