macOS Trojan Upgrade: Disguised Distribution via Signed Applications, Users Face More Concealed Risks

The Chief Information Security Officer of Slow Fog, 23pds, shared an article stating that the MacSync Stealer malware, active on the macOS platform, has shown significant evolution, with user assets already stolen.

The forwarded article mentions that it has upgraded from early low-threshold inducement methods like "dragging to terminal" and "ClickFix" to code signing and notarized Swift applications by Apple, significantly enhancing its concealment. Researchers found that the sample spreads in the form of a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, disguised as instant messaging or utility applications to induce users to download. Unlike previous versions, the new version does not require any terminal operations from the user; instead, a built-in Swift helper pulls and executes encoded scripts from a remote server to complete the information theft process.

The malware has completed code signing and has been notarized by Apple, with the developer team ID being GNJLS3UYZ4. The relevant hash had not been revoked by Apple at the time of analysis. This means it has a higher "trustworthiness" under the default macOS security mechanisms, making it easier to bypass user vigilance. The research also found that the DMG is unusually large, containing bait files such as LibreOffice-related PDFs to further reduce suspicion.

Security researchers point out that such information-stealing Trojans often target browser data, account credentials, and cryptocurrency wallet information. As malware begins to systematically abuse Apple's signing and notarization mechanisms, the risks of phishing and private key leakage for cryptocurrency users in the macOS environment are on the rise.