macOS Trojan Upgrades: Spreading through Signed App, Encrypting Users Face More Covert Risk

BlockBeats News, December 23, SlowMist Chief Security Officer 23pds shared a post stating that the MacSync Stealer malware active on the macOS platform has undergone significant evolution, with user assets already being stolen. The article shared by him mentioned that from earlier reliance on "drag-and-drop to Terminal" and "ClickFix" and other low-threshold inducement methods, it has upgraded to code signing and through Apple notarized Swift applications, significantly improving its stealthiness.

Researchers found that this sample is being spread in the form of a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, disguised as instant messaging or utility applications to induce users to download. Unlike before, the new version no longer requires any terminal operation by the user but is pulled and executed by a built-in Swift helper from a remote server to complete the information theft process.

This malware has been code signed and notarized by Apple, with the developer team ID being GNJLS3UYZ4, and the related hash has not been revoked by Apple during analysis. This means that it has a higher "trust level" under macOS's default security mechanisms, making it easier to bypass user vigilance. Research also found that the DMG file is unusually large, containing decoy files related to LibreOffice PDFs, among others, to further reduce suspicion.

Security researchers pointed out that such information-stealing trojans often target browser data, account credentials, and cryptocurrency wallet information. As malware begins to systematically abuse Apple's signing and notarization mechanism, cryptocurrency users in the macOS environment are facing an increasing risk of phishing and private key leaks.

Users are strongly advised to ensure that threat prevention and advanced threat control are enabled in Jamf for Mac and set to blocking mode to defend against these latest variants of information-stealing malware.