Threat Research

macOS stealer found in Apple/Bash payload

Securonix

A macOS stealer has been found camouflaged inside a partially obfuscated AppleScript and Bash payload delivered via a DMG trojan. The campaign uses phishing, masquerading as legitimate apps, and memory-based execution to steal credentials and sensitive data. #AppleScript #Bash #DMGtrojan #GatekeeperBypass #Notion #GTA6 #MoonlockLab

Keypoints

  • A macOS stealer is concealed in a DMG trojan with a partially obfuscated AppleScript and Bash payload.
  • The attack relies on phishing URLs and social engineering, masquerading as familiar apps like Notion and GTA6 to bypass Gatekeeper.
  • An AppleApp Mach-O file downloads and executes the payload in memory, avoiding writes to the filesystem.
    • Data exfiltration occurs via a hidden folder, with the payload communicating to a remote host (Russian IP) to fetch more data or payloads.
    • The infection chain begins with a malicious DMG and includes a remote URL (Russian IP) hosting the payload: 79.137.192.4:443/strings.
    • Observed IOCs include specific SHA-256 hashes linked to the payload and DMG components.

MITRE Techniques

  • [T1566.001] Phishing – The attacker delivers a malicious DMG trojan via phishing URLs and a deceptive image to lure installation. Quote: “propagation of infection by this stealer originated from a malicious trojan DMG file packed in a DMG format, possibly disseminated to unsuspecting macOS users via phishing URLs.”
  • [T1036] Masquerading – The malware disguises itself as legitimate apps (Notion and GTA6) to trick users into running it. Quote: “These files assumed the guise of well-known applications such as Notion and GTA6.”
  • [T1562.001] Impair Defenses (Gatekeeper bypass) – The trojan prompts users to bypass Gatekeeper, evading macOS’ security checks. Quote: “persuading the user to bypass macOS’s Gatekeeper security feature.”
  • [T1105] Ingress Tool Transfer – The dropper downloads a partially obfuscated AppleScript and Bash payload from a remote source and executes it. Quote: “downloads a partially obfuscated AppleScript and Bash payload… and execute it in the Mac’s memory.”
  • [T1059.004] Command and Scripting Interpreter: Bash – The delivered payload includes Bash components executed on the system. Quote: “AppleScript and Bash payload.”
  • [T1027] Obfuscated/Compressed Files – The payload is partially obfuscated to hinder analysis. Quote: “partially obfuscated AppleScript and Bash payload.”
  • [T1082] System Information Discovery – The malware uses system_profiler to collect hardware/software configuration details. Quote: “gathers detailed information about users’ hardware and software configurations.”
  • [T1555.003] Credentials From Web Browsers – It targets cookies, form history, and browser login credentials across major browsers and wallets. Quote: “targeting sensitive data repositories across various applications and databases… including cookies, form history, and login credentials from popular web browsers…”
  • [T1041] Exfiltration – Data exfiltration occurs via a secret folder to siphon collected data. Quote: “Data exfiltration” and “secret folder within users’ home directories.”

Indicators of Compromise

  • [SHA256] AppleScript and Bash payload – 511a01dcb0fe86c9f2f432400a28487d53e83cdb03af7701f28511f260eb1a83
  • [SHA256] Trojan DMG – b575ff5af6ea232b74fba11893d2f861de3ccc56f5a983dbe54aa5162f480cd2
  • [SHA256] Malware macho – 3aa1dd8ef5c19901af7c50f32e25a047f5fcc30d76ca6dca3068605817db5e34
  • [IP] IP address associated with payload and phishing sites – 79.137.192.4:443
  • [URL] Remote payload URL where the AppleScript and Bash payload is stored – https://79.137.192.4:443/strings
  • [File name] Trojan DMG file used in infection – App_v1.0.4.dmg
  • [File name] Mach-O payload executed in memory – AppleApp

Read more: https://moonlock.com/macos-stealer-apple-bash-payload

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint