Threat Research

MacSync Stealer

Securonix
MacSync Stealer

Jamf Threat Labs analyzed a newly observed MacSync Stealer dropper delivered as a code-signed, notarized Swift application distributed via a DMG (zk-call-messenger-installer-3.9.2-lts.dmg) that silently downloads and executes a base64-encoded second-stage payload using a Swift helper and shelling out to /bin/zsh. The campaign abuses notarization and signing to evade early detection, removes com.apple.quarantine, thwarts sandbox/offline analysis with internet checks and rate-limiting, and uses domains such as gatemaden.space and focusgroovy[.]com for payload delivery. #MacSyncStealer #JamfThreatLabs

Keypoints

  • The observed dropper is a universal Mach-O Swift application that is code-signed and notarized (Developer Team ID GNJLS3UYZ4) and distributed inside zk-call-messenger-installer-3.9.2-lts.dmg.
  • The installer silently checks for internet connectivity, enforces a ~3600s rate limit using ~/Library/Application Support/UserSyncWorker/last_up, and only then retrieves a second-stage payload for execution.
  • Payload retrieval is performed by shelling out to /bin/zsh -lc and using curl to download to /tmp/runner, followed by validation (file –mime-type, spctl) and removal of com.apple.quarantine before execution.
  • The second-stage payload matches prior MacSync Stealer behavior (base64 decode, gunzip, eval, fetch additional payloads from domains like focusgroovy[.]com) and the dropper deletes /tmp/runner after execution.
  • The DMG is inflated with decoy files (PDFs) to appear legitimate; some samples had low AV detection on VirusTotal and the Developer Team ID certificate was reported and later revoked by Apple.
  • This variant demonstrates an evolution from user-interactive techniques (drag-to-terminal, ClickFix) to a hands-off, signed/notarized native dropper approach, mirroring trends seen with other infostealers (e.g., Odyssey).

MITRE Techniques

  • [T1059.004 ] Unix Shell – The dropper shells out to /bin/zsh -lc to build and run the curl command and execute the downloaded script (‘/bin/zsh -lc’).
  • [T1105 ] Ingress Tool Transfer – The dropper downloads a second-stage payload from a remote URL using curl (e.g., ‘https[:]//gatemaden.space/curl/985683bd660c0c47c6be513a2d1f0a554d52d241714bb17fb18ab0d0f8cc2dc6’).
  • [T1140 ] Deobfuscate/Decode Files or Information – Earlier and second-stage payloads are decoded and decompressed using ‘base64 -D’ and ‘gunzip’ before being executed via eval (‘base64 -D, decompressed with gunzip, stored in a variable and executed using eval’).
  • [T1204.002 ] User Execution: Malicious File – The campaign previously relied on user-interactive techniques such as drag-to-terminal or ClickFix-style prompting to execute scripts (‘drag-to-terminal or ClickFix-style techniques’).
  • [T1036 ] Masquerading – The adversary inflates the DMG with decoy PDF files and uses a legitimate-looking signed/notarized app to appear benign (‘disk image containing decoy files to inflate its size’).
  • [T1070.004 ] Indicator Removal on Host: File Deletion – The installer deletes the dropped /tmp/runner payload after execution to reduce forensic artifacts (‘/tmp/runner payload is deleted from disk’).
  • [T1562 ] Impair Defenses – The dropper removes the com.apple.quarantine attribute and performs Gatekeeper checks to influence macOS defenses (‘removes the com.apple.quarantine attribute’ and uses ‘spctl -a -v’).
  • [T1218 ] Signed Binary Proxy Execution (abuse of signed binaries) – The campaign leverages a code-signed, notarized Swift application to run downloader logic and fetch second-stage payloads (‘code-signed and notarized Swift application’).

Indicators of Compromise

  • [Domain ] distribution and payload hosting – zkcall.net, gatemaden.space, and 1 more domain (focusgroovy[.]com).
  • [URL ] direct payload endpoints used by the dropper – https://zkcall.net/download, https[:]//gatemaden.space/curl/985683bd660c0c47c6be513a2d1f0a554d52d241714bb17fb18ab0d0f8cc2dc6.
  • [File Name ] installer and bundle names observed – zk-call-messenger-installer-3.9.2-lts.dmg, UserSyncWorker (application bundle).
  • [File Path ] temporary and persistence-related paths – /tmp/runner (downloaded second-stage script), ~/Library/Logs/UserSyncWorker.log (log file), ~/Library/Application Support/UserSyncWorker/last_up (rate-limit timestamp).
  • [Developer Team ID ] code-signing identifier used to sign the app – GNJLS3UYZ4 (certificate was reported and subsequently revoked).
  • [User-Agent ] downloader identification string – UserSyncWorker/1.0 (macOS) used in the curl request.

Read more: https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint