Jamf Threat Labs has published a report about a new notarized MacSync Stealer malware.
Specifically, Jamf Threat Labs observed a signed and notarized stealer that didn’t follow the typical execution chains we have seen in the past. The sample in question looked highly similar to past variants of the increasingly active MacSync Stealer malware but was revamped in its design.
Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, this sample adopts a more deceptive, hands-off approach.
Interestingly, Jamf Threat Labs has also observed the Odyssey infostealer adopting similar distribution methods in recent variants. Surprisingly, the familiar right-click open instruction is
still present in this sample even though the executable is signed and does not require this step, the group reports.
Article provided with permission from AppleWorld.Today