macOS Trojan Upgrade: Disguised Distribution with Signed Applications, Encrypted Users Face More Concealed Risks

According to ChainCatcher's message, SlowMist's Chief Information Security Officer 23pds shared that the MacSync Stealer malware active on the macOS platform has shown significant evolution, with user assets already being stolen.

The forwarded article mentions that the early reliance on low-threshold inducement methods such as "dragging to terminal" and "ClickFix" has upgraded to code signing and notarized Swift applications by Apple, significantly enhancing concealment. Researchers found that the sample spreads in the form of a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, inducing users to download it by disguising it as an instant messaging or utility application. Unlike previous versions, the new version does not require any terminal operations from users; instead, a built-in Swift helper program pulls and executes encoded scripts from a remote server to complete the information theft process.

The malicious program has completed code signing and passed Apple's notarization, with a developer team ID of GNJLS3UYZ4, and the relevant hash has not been revoked by Apple during analysis. This means it has a higher 'trustworthiness' under the default macOS security mechanisms, making it easier to bypass user vigilance. Research also found that this DMG is unusually large, containing bait files such as PDF related to LibreOffice, to further reduce suspicion.

Security researchers point out that this type of information-stealing trojan often targets browser data, account credentials, and encrypted wallet information. As malware begins to systematically abuse Apple's signing and notarization mechanisms, the risks of phishing and private key leakage for cryptocurrency users in the macOS environment are rising.