The latest variant of the MacSync information stealer targeting macOS systems is delivered through a digitally signed, notarized Swift application.
Security researchers at Apple device management platform Jamf say that the distribution method constitutes a significant evolution from past iterations that used less sophisticated "drag-to-Terminal" or ClickFix tactics.
"Delivered as a code-signed and notarized Swift application within a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, distributed via https://zkcall.net/download, it removes the need for any direct terminal interaction," the researchers say in a report today.
Valid digital signature and notarization
Source: Jamf
At the time of the analysis, Jamf says that the latest MacSync variant had a valid signature and could bypass checks from Gatekeeper, the security system in macOS.
"After inspecting the Mach-O binary, which is a universal build, we confirmed that it is both code-signed and notarized. The signature is associated with the Developer Team ID GNJLS3UYZ4," Jamf explains.
However, following a direct report of the certificate to Apple, it has now been revoked.
The malware is delivered on the system through a dropper in encoded form. After decoding the payload, researchers discovered the usual signs of the MacSync Stealer.
The deobfuscated payload
... continue reading