A new variant of the MacSync Stealer malware uses a code-signed Swift application to bypass Apple’s macOS Gatekeeper protections. While malware usually has to convince a user to perform manual actions to evade the macOS Gatekeeper protections, this new version uses a code-signed Swift application to make an end run around Gatekeeper.
Researchers at Jamf Threat Labs on Tuesday announced the discovery of a new variant of MacSync Stealer that takes advantage of the notarization system designed to protect your machine.
In the past, bad actors were forced to dupe users into performing manual actions to install MacSync Stealer on their Mac, such as convincing them to drag script files into a Terminal window, or other actions.
The new version installs an app that is code-signed and notarized. Users are instructed to open an installer for an app called “zk-Call & Messenger,” which is downloaded from a web browser.
While previous version required users to right-click a file and then click on “Open” in the contextual menu that appears, the new version poses as a signed executable, meaning it can be run with a quick double-click of the mouse or trackpad.
Jamf Threat Labs found that the MacSync Stealer executable is both code-signed and notarized, as well as being associated with a Developer Team ID.
Although the malicious script driving the malware is quite small when compared to the typical Mac app, the file has been inflated to a more app-sized size of 25.5MB by padding the app with extra files.
Since the installer doesn’t include any malware itself, it doesn’t set off any alarms. However, once the app is run for the first time, it downloads a malicious payload, installing it on the system.
Jamf says malware authors continue to “evolve their delivery methods” as they look to infect the maximum number of machines.
Jamf has contacted Apple to report the malware installer’s Developer Team ID, and says that the associated certificate has been revoked. Unfortunately, the code directory hashes were not included as part of Apple’s revocation list at the time of this report.
Mac users need to protect themselves by staying aware of what they install on their machines, keeping to the well-lighted areas of the internet, such as only installing apps from trusted developers and the Mac App Store.