Analysts at Jamf Threat Labs identified a new MacSync Stealer variant that leverages legitimate Apple certificates to bypass security barriers. This allows the application to run on devices without triggering Gatekeeper system warnings.
The Execution Flow
Attackers distribute the malware disguised as a ZK Call messenger installer. In a shift from previous versions that required manual terminal inputs, this variant arrives as a standard disk image.
The application carries an official Apple notarization signature. This tactic establishes the software as a trusted entity within the operating system.
To hide its intent, the archive includes decoy PDF documents mimicking the LibreOffice suite. Before executing the payload, the program validates the file type and forcibly removes the system quarantine flag. The stealer displays standard windows to collect sensitive information under the guise of system requests, eventually transmitting stolen passwords and keys to the attackers.
Apple revoked the developer certificate immediately after receiving the report from Jamf.
Read also:
- Hackers Are Spreading Stealka Malware Through Game Mods and Cheats
- North Korean Hackers Loot $300M via Fake Zoom Calls
- How to Protect Yourself from Smart Contract Exploits
This post is for informational purposes only and does not constitute advertising or investment advice. Please do your own research before making any decisions.