Security researchers report a notable evolution of the MacSync Stealer on macOS, leveraging Apple notarization and code signing to raise its trust level. The malware is distributed as a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, masquerading as messaging or utility software.
Unlike earlier variants, the current sample omits manual terminal steps; it autonomously downloads and executes a built-in Swift helper from a remote server to harvest data, including credentials and cryptocurrency wallets information, with the developer team ID reported as GNJLS3UYZ4.
Analysis indicates the DMG is unusually large and contains decoy files to widen the window before detection. By abusing Apple’s signing framework, the threat actor strengthens its stealth, while decoys such as LibreOffice PDFs reduce user suspicion.
Mac cryptocurrency wallets and browser credentials are frequent targets for these information-stealing trojans. To mitigate risk, enable threat prevention and advanced threat control on endpoints, and configure Jamf to operate in blocking mode.
Source: https://en.coinotag.com/breakingnews/macsync-stealer-evolves-on-macos-with-apple-notarized-swift-delivery-targeting-cryptocurrency-wallets
