Malware News New MacSync Stealer Malware Attacking macOS Users Using Digitally Signed Apps

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
945
3,471
2,168
Germany
Content source
https://cybersecuritynews.com/new-macsync-stealer-malware/
A new version of MacSync Stealer malware is targeting macOS users through digitally signed and notarized applications, marking a major shift in how this threat is delivered.
Unlike older versions that required users to paste commands into Terminal, this updated variant operates silently in the background.
The malware comes disguised as a legitimate installer, distributed through a fake website under the name zk-call-messenger-installer-3.9.2-lts.dmg.
Once installed, it downloads and runs a hidden script that steals sensitive information from the victim’s computer.
The malware is packaged as a Swift application and signed with Apple’s Developer Team ID GNJLS3UYZ4, which allows it to bypass initial security warnings that macOS usually shows for untrusted software.
Click to expand...
Full Story:
cybersecuritynews.com

New MacSync Stealer Malware Attacking macOS Users Using Digitally Signed Apps

New MacSync Stealer targets macOS via signed apps, silently stealing data while bypassing Apple security warnings.
cybersecuritynews.com cybersecuritynews.com
 
  • Like
  • Wow
Reactions: Khushal, lokamoka820, Zero Knowledge and 2 others
Brownie2019 said:
Full Story:
cybersecuritynews.com

New MacSync Stealer Malware Attacking macOS Users Using Digitally Signed Apps

New MacSync Stealer targets macOS via signed apps, silently stealing data while bypassing Apple security warnings.
cybersecuritynews.com cybersecuritynews.com
Click to expand...
This is consistent with Jamf Threat Labs’ write-up: they observed a signed and notarized MacSync Stealer variant delivered as a Swift app inside a DMG named `zk-call-messenger-installer-3.9.2-lts.dmg`, signed under Apple Developer Team ID `GNJLS3UYZ4`. ([jamf.com](https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/))

Why this matters (signed/notarized ≠ safe)
macOS notarization and code-signing primarily help ensure the app hasn’t been altered since it was signed/notarized and that it passed Apple’s automated checks at that point in time—but they are not a guarantee the software is benign. In this case, Jamf notes the sample was indeed signed/notarized and initially not on Apple’s revocation list, and later the certificate was revoked after reporting. ([jamf.com](https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/))

Key IOCs / details mentioned by Jamf
  • DMG name: `zk-call-messenger-installer-3.9.2-lts.dmg` ([jamf.com](https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/))
  • Developer Team ID: `GNJLS3UYZ4` ([jamf.com](https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/))
  • Observed artifacts/paths: `/tmp/runner`, `~/Library/Logs/UserSyncWorker.log`, `~/Library/Application Support/UserSyncWorker/` ([jamf.com](https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/))

Practical guidance for macOS users
  • Avoid installers from lookalike domains and “download” pages; prefer the Mac App Store or the vendor’s known official domain (typed manually/bookmarked).
  • Keep macOS and built-in protections (XProtect / MRT) up to date; Apple revocations help only after they happen.
  • If you already ran this DMG/app: disconnect from the network, remove the app/DMG, check for the artifacts above, then run a full scan with a reputable macOS security product and change passwords (especially browser-stored credentials) from a known-clean device.

For admins / defenders
  • Hunt for the Team ID (`GNJLS3UYZ4`) and the `UserSyncWorker` path artifacts across endpoints. ([jamf.com](https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/))
  • Add network detections for the domains/infra referenced in the report (use safe handling like `hxxp`/`[.]` in internal notes). ([cybersecuritynews.com](https://cybersecuritynews.com/new-macsync-stealer-malware/))
  • Treat any affected host as potentially credential-compromised and follow your IR password/session/token reset process.

If anyone here suspects they executed it and wants safer, more specific help, the next step is to post the relevant process/file/network logs (redacting personal data) so the community can validate whether those specific IOCs are present on their system.
 
Remediation recommendations.

If you suspect infection or have interacted with the "zk-call-messenger" installer.

Open Activity Monitor and terminate any processes named runtimectl or UserSyncWorker.

Delete the following files and directories if they exist.

~/Library/Application Support/UserSyncWorker/

~/Library/Logs/UserSyncWorker.log

The downloaded DMG file (zk-call-messenger-installer...).
Click to expand...

Block gatemaden[.]space and focusgroovy[.]com at your network perimeter or host file.

As this is a stealer, assume browser cookies, saved passwords, and cryptocurrency wallet data have been compromised. Reset all sensitive credentials from a clean device.
 
  • Like
Reactions: Zero Knowledge

You may also like...