Executive Summary

Cybersecurity researchers have uncovered a new variant of the MacSync info-stealer that is being distributed through a sophisticated dropper designed to evade Apple's built-in security controls. The malware is hidden within a .dmg installer for a fake messaging application. Critically, the dropper has been digitally signed with a valid developer certificate and has passed Apple's automated notarization process. This allows it to bypass macOS's Gatekeeper feature, which is designed to block untrusted software. This campaign highlights how threat actors can abuse platform trust mechanisms to deploy malware, underscoring that even notarized applications can be malicious.

Threat Overview

The attack begins when a user is tricked into downloading a disk image file named zk-call-messenger-installer-3.9.2-lts.dmg from a malicious website designed to look like a legitimate software download page. The file contains what appears to be an installer for a messaging app.

The key to this attack's success is its subversion of macOS security features. Gatekeeper is a core macOS security technology that, by default, ensures only software from the App Store or from identified, notarized developers can run. Notarization is an automated service where developers submit their apps to Apple to be scanned for malicious components. A notarized app receives a 'ticket' from Apple, assuring Gatekeeper that the software has been checked and is safe to open.

In this campaign, the threat actors managed to get their malicious dropper notarized, likely by ensuring the initial dropper application contained no overtly malicious code that Apple's automated scanner could detect. Once the user runs the seemingly legitimate installer, it then proceeds to download and execute the MacSync info-stealer payload, which is designed to steal credentials, cookies, and other sensitive data from the victim's machine.

Technical Analysis

• Malware: MacSync (Information Stealer)
• Delivery Vehicle: Malicious disk image (zk-call-messenger-installer-3.9.2-lts.dmg)
• Evasion Tactic: The dropper application is both digitally signed with a valid Apple Developer ID and has been successfully notarized by Apple.

MITRE ATT&CK Techniques

• T1553.002 - Code Signing: The attackers used a valid digital signature to make the malware appear legitimate and to pass initial security checks. This is a form of masquerading.
• T1204.002 - Malicious File: The user is induced to execute the malicious .dmg file, believing it to be a legitimate installer.
• T1140 - Deobfuscate/Decode Files or Information: The dropper likely contains an encoded or encrypted payload (the MacSync stealer) that it decodes and runs only after execution, a technique used to evade static analysis during notarization.
• T1059.007 - JavaScript/JXA: macOS malware often uses AppleScript or JavaScript for Automation (JXA) to execute secondary payloads, a likely method for the dropper.

Impact Assessment

The primary impact is the theft of sensitive information from macOS users, which can lead to financial loss, account takeovers, and identity theft. More broadly, this attack erodes trust in Apple's ecosystem security. Users are trained to trust notarized apps, and this campaign demonstrates that this trust can be misplaced. It forces Apple to continually refine its automated scanning and developer vetting processes, and it reminds security professionals that platform-level controls like Gatekeeper are not foolproof.

IOCs

Detection & Response

1. Endpoint Detection and Response (EDR): macOS-aware EDR solutions are crucial. They can monitor for suspicious process chains (e.g., an installer making unexpected network connections to download a second-stage payload) and detect the behavioral patterns of info-stealers, such as accessing browser credential stores.
2. Network Monitoring: Monitor outbound network traffic from endpoints, especially after a new application is installed. Connections to unknown or suspicious domains can indicate a malware C2 channel.
3. D3FEND Techniques: Utilize D3-PA - Process Analysis to identify when the seemingly benign installer spawns malicious child processes. D3-OTF - Outbound Traffic Filtering can block the malware from exfiltrating stolen data.

Mitigation

1. User Education: Train users to be cautious about downloading software from outside the official Mac App Store. Even if an app is notarized, they should only download it from the official developer's website.
2. Application Control: In enterprise environments, use application control or allowlisting solutions to restrict execution to a limited set of approved software. This prevents users from running unauthorized applications, malicious or not.
3. Least Privilege: Ensure user accounts do not have administrative privileges unless absolutely necessary. This can limit a malware's ability to install itself persistently or access system-level files.
4. D3FEND Countermeasures: Implementing D3-EAL - Executable Allowlisting is a powerful mitigation, as it would prevent the malicious zk-call-messenger-installer from running in the first place if it's not on the approved list. This provides a much stronger defense than relying on Apple's notarization process alone.