A new strain of malware called MacSync Stealer is making waves in the security world and this time it’s targeting macOS systems with a more sneaky trick than security teams have seen before.
MacOS has traditionally had strong defenses against malware through features like Gatekeeper which verifies downloaded software to prevent untrusted code from running on your Mac. But recent findings show attackers have found a way to bypass those protections by packaging the malware within a signed and notarized Swift application, a method that makes it look legitimate to macOS security checks.
How Attackers Are Getting In
According to researchers, the new MacSync Stealer variant is delivered through a code-signed and notarized app disguised as an installer for a fake messaging tool. Because the installer has a legitimate Apple Developer ID, Gatekeeper doesn’t warn the user when they open it so the malware can run with ease.
Once launched, the installer downloads the real malware from a remote server in the background, allowing attackers to steal passwords, credentials and even crypto wallet info from infected Macs.
To make it worse, researchers saw the malware packaging large decoy files to make the installer look more legitimate and delaying execution to evade detection.
What This Means for Businesses and Users
Historically Mac malware has been less prevalent than Windows malware partly because of macOS’s built in security features. But MacSync Stealer shows a worrying trend: attackers are using legitimate looking certificates and notarization to trick defenses and users alike.
As Enitech’s own Antwine Jackson likes to remind leadership teams, “Cybersecurity is only as strong as its weakest link and social engineering often remains that link. Attackers will always look for ways to exploit trust and familiarity to bypass controls.”
This latest variant of MacSync proves that point. Even when you have solid defenses in place, threat actors will find a way around them especially when users are convinced software is safe because it looks legitimate.
How to Stay Safe
Here’s what you can do right now to protect your organization and users:* Don’t open unknown installers or apps, even if they’re signed or notarized.
- Train your team on social engineering that comes with malware.
- Use managed endpoint protection that goes beyond Gatekeeper and uses behavior-based detection.
- Keep macOS and security tools up to date, as Apple and vendors release patches for evolving threats.
Now that malware authors are using the very systems that trusted developers, it’s time for all security teams to pay attention to this threat.
