You might want to be even more careful online until Apple sorts this out.
Per AppleInsider, a new variant of the MacSync Stealer malware uses a code-signed Swift application to get around Apple’s macOS Gatekeeper protections.
While the macOS Gatekeeper and Xprotect features do a commendable job at fending off malware for your Mac, a group of hackers has apparently devised a new means of bypassing Gatekeeper and simpified its attack process.
Researchers at Jamf Threat Labs posted about a new variant of MacSync Stealer on Tuesday that uses a different method to attack macOS. A method that manages to take advantage of the notarization system Apple employs.
Where previous versions of the MacSync Stealer software required the use of techniques such as dragging items to a Terminal window or so-called “ChickFix” methods, which include dropping a script file or pasting a Unix command.
Under the new method, MacSync Stealer is introduced to a Mac as part of a code-signed and notarized Swift application. Users are encouraged to open an installer for a “zk-Call & Messenger” app from a web browser. The new package can now be simply double-clicked to execute it, and an inspection of the Installer binary reveals it is indeed both code-signed and notarized, and is associated with a Developer Team ID.
The script driving the malware is small, while the file size is about 25.5MB in comparison, having been padded by extra files such as PDFs to make it look more legitimate as an installer.
Per AppleInsider’s technical description:
“The installer app does not actually contain the malware itself. Instead, after running, it pulls a secondary payload from a server that houses and installs the malware on the target system.
The attack itself is ultimately still an encoded dropper, with researchers seeing many of the usual indicators of being MacSync Stealer. The main difference is that the use of a notarized and signed app allowed the first stage to get past Gatekeeper’s protections.”
Researchers at Jamf have noted that the app demonstrates how malware authors are continuing to “evolve their delivery methods” to maximize infections, and that the group had never seen a Swift-based, code-signed, and notarized form, complete with a second-stage payload.
Given that this is a notarized and signed app, it doesn’t trigger Gatekeeper’s initial intervention stages. Jamf has stated that it reported the associated Developer Team ID to Apple, and the associated certificate has been revoked. The group also added that code directory hashes were not included as part of Apple’s revocation list at the time of the report’s publication.
As always, Mac users will need to be vigilant about their digital hygiene and be cautious. This includes being aware of what they are installing and where they are installing it from, such as a trusted developer website or from the Mac App Store.
Stay tuned for additional details as they become available.
Via AppleInsider and Jamf Threat Labs
Leave a Reply