CoinVoice has recently learned that SlowMist's Chief Information Security Officer 23pds has shared a post stating that the MacSync Stealer malware active on the macOS platform has shown significant evolution, with user assets already stolen.
The forwarded article mentions that it has upgraded from early low-barrier inducement techniques such as 'dragging to terminal' and 'ClickFix' to code-signed Swift applications that are notarized by Apple, significantly enhancing concealment. Researchers found that the sample spreads in the form of a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, disguised as instant messaging or utility applications to induce users to download. Unlike previous versions, the new version does not require any terminal operations from users but instead pulls and executes encoded scripts from a remote server via a built-in Swift helper program, completing the information theft process.
The malicious program has completed code signing and passed Apple's notarization, with a developer team ID of GNJLS3UYZ4. The related hash has not been revoked by Apple during analysis. This means it has a higher 'trustworthiness' under the default macOS security mechanism, making it easier to bypass user vigilance. Research also found that this DMG is abnormally large and contains bait files such as LibreOffice-related PDFs to further reduce suspicion.
Security researchers have pointed out that such information-stealing trojans often target browser data, account credentials, and encrypted wallet information as primary objectives. As malware begins to systematically abuse Apple's signing and notarization mechanisms, the risk of phishing and private key leaks for encrypted asset users in the macOS environment is on the rise. [Original link]