Malware

Updated delivery method employed by MacSync malware

Malware analysis

BleepingComputer reports that the MacSync information-stealing malware has been distributed through a code-signed and notarized Swift application, removing the necessity for direct terminal interaction and representing a departure from ClicFix or drag-to-terminal tactics previously used to spread the macOS infostealer.

Attackers have used an encoded dropper to deliver the latest iteration of MacSync Stealer, which has been enhanced to evade the Gatekeeper security system, according to Jamf researchers. Aside from integrating decoy PDFs to inflate DMG file sizes and removing scripts in the execution chain, the updated MacSync Stealer also checks for internet connectivity prior to execution.

MacSync Stealer is a rebrand of threat actor Mentalpositive's Mac.C malware, which was previously noted by MacPaw Moonlock to have enabled the theft of iCloud keychain credentials, system metadata, browser-stored passwords, cryptocurrency wallet information, and filesystem data.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Adware

You can skip this ad in 5 seconds