macOS Trojan Update: Spreading through Signed App with User Data Encryption Poses Increased Stealth Risk

BlockBeats News, December 23, SlowMist Chief Security Officer 23pds shared a post stating that the MacSync Stealer malware active on the macOS platform has shown significant evolution, with user assets already being stolen. The article shared by him mentioned that from early-stage techniques relying on "drag-and-drop to terminal" and "ClickFix" for easy lure, it has upgraded to code signing and utilizing Apple notarized Swift applications, significantly enhancing its stealthiness.

Researchers found that this sample is being spread in the form of a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, disguised as an instant messaging or utility application to lure users into downloading it. Unlike the past, the new version no longer requires any terminal operations from the user but instead is pulled and executed by a built-in Swift helper from a remote server to carry out the information theft process.

This malware has been successfully code signed and notarized by Apple, with the developer team ID being GNJLS3UYZ4, and the related hashes have not been revoked by Apple at the time of analysis. This means that it enjoys higher "trustworthiness" under the default macOS security mechanism, making it easier to bypass user vigilance. The research also discovered that the DMG file size is unusually large, containing bait files such as PDFs related to LibreOffice to further lower suspicion.

Security researchers pointed out that such information-stealing trojans often target browser data, account credentials, and cryptocurrency wallet information. As malware increasingly abuses Apple's signing and notarization mechanisms, cryptocurrency users in the macOS environment are facing rising phishing and private key exposure risks.