macOS Trojan Upgrade: Disguised Distribution via Signed Applications, Encryption Users Face More Hidden Risks

On December 23, 23pds, the Chief Information Security Officer of Slow Fog, shared that the MacSync Stealer malware, active on the macOS platform, has shown significant evolution, resulting in user assets being stolen. The article he forwarded mentioned that it has upgraded from early low-threshold inducement techniques like “dragging to the terminal” and “ClickFix” to code signing and notarized Swift applications by Apple, significantly enhancing its concealment. Researchers discovered that the sample spreads in the form of a disk image named zk-call-messenger-installer-3.9.2-lts.dmg and induces users to download it by disguising itself as instant messaging or utility applications. Unlike previous versions, the new version does not require any terminal operations from users; instead, a built-in Swift helper pulls and executes encoded scripts from a remote server to complete the information theft process. This malware has completed code signing and has been notarized by Apple, with a developer team ID of GNJLS3UYZ4, and the related hash has not been revoked by Apple at the time of analysis. This means it has a higher “trustworthiness” under the default macOS security mechanism, making it easier to bypass user vigilance. Research also found that the DMG is abnormally large and contains bait files like LibreOffice-related PDFs to further reduce suspicion. Security researchers pointed out that such information-stealing trojans commonly target browser data, account credentials, and Wallet information. As the malware begins to systematically abuse Apple's signing and notarization mechanisms, the phishing and Private Key leak risks faced by cryptocurrency users in the macOS environment are on the rise.