The latest version of MacSync, a macOS information stealer, is delivered via a signed and notarized Swift application, marking a significant evolution in evasion techniques. Despite its initial valid signature, the certificate was revoked after a report to Apple, highlighting the ongoing threat. #MacSync #Mentalpositive
Keypoints
- The new MacSync variant is distributed as a code-signed, notarized Swift application within a disk image.
- The malware bypassed macOS Gatekeeper checks until its digital certificate was revoked by Apple.
- It uses multiple evasion tactics, including decoy PDFs and network checks, to avoid detection.
- MacSync, also known as Mac.C, can steal iCloud credentials, browser passwords, and cryptocurrency wallets.
- The malware was developed in response to tighter macOS notarization policies introduced in version 10.14.5 and later.