Posted in

MacSync Stealer: What You Must Know About Notarized Malware

by Rakesh0

MacSync Stealer is back—and it’s stealthier than before. Recent analysis shows a new variant abusing Apple’s trusted app ecosystem to deliver info‑stealing payloads via signed, notarized Swift applications, bypassing user suspicion and many default macOS defenses. For CISOs, SOC analysts, and IT leaders, this underscores a critical reality: code signing and notarization alone don’t equal safety.

In this post, you’ll learn what the latest MacSync Stealer does, how it evades controls, real IOCs to hunt for, and a layered defense strategy aligned to MITRE ATT&CK and NIST/ISO practices. You’ll also get ready-to-use detection ideas, IR steps, and policy recommendations for macOS fleets in enterprise and mixed environments.

What Is MacSync Stealer? (and why it matters)

MacSync Stealer is a macOS information stealer that targets user data and credentials. The latest campaign replaces earlier, user-assisted execution tricks (like “drag‑to‑terminal” or “ClickFix”) with hands-off infection chains that appear legitimate—signed, notarized, and delivered as a Swift app inside a DMG.

Why this matters now:

  • Trust Abuse: The malware arrives notarized and signed under a legitimate Apple Developer Team ID (since revoked), GNJLS3UYZ4, leveraging trust users and admins place in Apple’s ecosystem.
  • Low AV Detection: VirusTotal samples reportedly showed limited detections (as low as 1–13 engines), often labeled generic downloaders (e.g., Coinminer/OOOID families).
  • Operational Stealth: The dropper uses network checks, obfuscated payload retrieval, quarantine bypass, spctl validation, and artifact cleanup to reduce footprints.

Primary takeaway: Modern macOS malware operationalizes trustnotarized ≠ safe and signed ≠ benign.

How the Latest Variant Works

Signed and notarized, yet malicious

  • Initial lure & packaging:
    Delivered as a notarized Swift application embedded in a disk image named:
    zk-call-messenger-installer-3.9.2-lts.dmg
    Reported distribution host: zkcall[.]net.
  • Abuse of Developer ID:
    Signed under Apple Developer Team ID GNJLS3UYZ4 (revoked after report). Despite signing/notarization, payload delivery is silent and requires minimal or no user interaction.
  • Decoy inflation:
    The app bundle is unusually large (~25.5 MB), padded with decoy PDFs to hide malicious purpose during cursory review.
  • Dropper & helper binary:
    The executable runtimectl acts as a downloader/orchestrator. It:
    • Validates internet connectivity
    • Maintains a log at ~/Library/Logs/UserSyncWorker.log
    • Creates support files in ~/Library/Application Support/UserSyncWorker/
    • Manages scheduling and persistence

Evasive execution and C2 behavior

  • Execution throttle:
    The routine runInstaller() enforces a 1‑hour run limit to avoid repeated triggers and reduce telemetry noise.
  • Payload fetch with curl variations:
    Retrieves an obfuscated script from:
    https[:]//gatemaden.space/curl/985683…
    Using a custom curl invocation modifying -fsSL into -fL -sS and adding --noproxy—tactics often used to improve reliability and evade basic signatures.
  • Command-and-control:
    The downloaded script (temporarily stored as /tmp/runner) matches previous MacSync campaigns and communicates with focusgroovy[.]com, a domain linked to prior C2 infrastructure for MacSync.
  • Trust subversion & cleanup:
    Before execution, the malware:
    1. removes com.apple.quarantine attributes,
    2. validates with spctl,
    3. executes and then deletes the payload to minimize artifacts.
  • Developer ID revocation:
    The malicious certificate was reported to Apple and revoked—but revocation is reactive, and build pipelines can rotate identities.

Bottom line: The campaign demonstrates how signed and notarized Swift apps can be weaponized to quietly stage and run info-stealers—a pattern we should now treat as a standard threat model for macOS.

Real-World Indicators of Compromise (IOCs)

Use these IOCs for proactive threat hunting and retroactive sweep.

Filenames & Paths

  • DMG: zk-call-messenger-installer-3.9.2-lts.dmg
  • Helper binary: runtimectl
  • Log file: ~/Library/Logs/UserSyncWorker.log
  • Support dir: ~/Library/Application Support/UserSyncWorker/
  • Temp payload: /tmp/runner

Domains & Network

  • Distribution: zkcall[.]net
  • Payload host: gatemaden[.]space
  • C2: focusgroovy[.]com

Certificates

  • Apple Developer Team ID: GNJLS3UYZ4 (revoked)

Behaviors

  • curl with flags: -fL -sS --noproxy
  • Removal of com.apple.quarantine
  • spctl invocation pre‑execution
  • Self‑deletion of dropped payload

Common Misconceptions (and the facts)

  • “Notarized apps are safe.”
    False. Notarization means Apple scanned the binary at submission time. It’s not a runtime guarantee, and threat actors can pass initial checks or quickly rotate identities after revocation.
  • “Gatekeeper blocks everything unsigned.”
    Partial. Gatekeeper helps, but signed/notarized malware can pass, especially when delivered as seemingly legitimate Swift apps.
  • “AV will catch it.”
    Not reliably. Early samples had limited detections and generic classifications. Evasive curl flags and transient artifacts further impede signatures.
  • “If it’s Swift and big, it’s fine.”
    No. Decoy PDFs inflate bundle size and communicate legitimacy. Bundle bloat ≠ benign.

MITRE ATT&CK Mapping (macOS)

  • T1553 – Subvert Trust Controls: Abuse of code signing & notarization
  • T1105 – Ingress Tool Transfer: Fetch payload via curl
  • T1059 – Command & Scripting Interpreter: Shell script execution
  • T1140 – Deobfuscate/Decode Files or Information: Encoded script retrieval
  • T1036 – Masquerading: Legitimate-looking Swift app & bundle content
  • T1070 – Indicator Removal: Delete payload and logs
  • T1071 – Application Layer Protocol: HTTPS C2 to domain infrastructure
  • T1053.005 / T1547.013 – Scheduled Task/Logon Items: Persistence via scheduling or LaunchAgents (implied by “scheduling and persistence” within UserSyncWorker)

Risk–Impact Analysis

Primary risks:

  • Credential and session theft (browsers, wallets, app tokens)
  • Lateral movement within SaaS and cloud via stolen tokens/secrets
  • Brand damage and incident recovery costs (IR, forensics, comms)
  • Compliance exposure (PII/PHI/PCI data exfiltration)

Who’s at risk:

  • BYOD and hybrid fleets with macOS endpoints
  • Teams relying on notarization alone for trust
  • High‑value users (execs, devs with cloud/API keys, finance)

Business impact:

  • Loss of sensitive corporate IP, customer data, financial data
  • Ransomware follow-on (via stolen access)
  • Regulatory fines and reporting obligations

Defensive Strategy: Layered Controls that Actually Work

Key principle: Treat signed/notarized macOS apps as potentially malicious until proven otherwise. Shift from binary trust to continuous verification (Zero Trust).

1) Hardening macOS Endpoints

  • Restrict app sources via MDM: App Store + identified developers with approval workflows (not blanket allow).
  • Enforce System Settings:
    • Disable “Open Anyway” prompts via policy for unknown sources.
    • Require least privilege and TCC hardening for sensitive data (Documents/Downloads, screen capture, input monitoring).
  • XProtect & MRT: Ensure XProtect Remediator is current; enable network content filtering and EDR with block mode to stop post-detection execution.
  • Firewall & DNS filtering: Enforce outbound filtering, block high‑risk domains, and inspect curl/shell usage patterns.

2) Identity, Browser & Secrets Hygiene

  • Passkeys/FIDO2 for phishing-resistant auth
  • SSO with conditional access (device health, OS version, risk)
  • Harden browsers (profile isolation, password manager policies, extension control)
  • Rotate tokens/keys rapidly; scoped API keys; secret scanning in CI/CD

3) Network & Cloud Controls

  • TLS interception in trusted environments (where legally appropriate) to detect scripted payload fetches
  • Zero Trust Network Access (ZTNA) for sensitive apps
  • CASB/SSE to detect anomalous SaaS session activity post‑compromise
  • Egress allow-lists for crown-jewel apps

4) Detection Engineering (macOS-focused)

Hunt ideas (local):

  • Look for UserSyncWorker artifacts:
    • ~/Library/Application Support/UserSyncWorker/
    • ~/Library/Logs/UserSyncWorker.log
  • Detect curl executions with -fL -sS --noproxy
  • Flag executions of runtimectl or unrecognized binaries in user writable paths
  • Monitor xattr -d com.apple.quarantine, spctl validations for newly dropped files
  • Alert on processes deleting their own payloads shortly after execution

osquery samples (adapt as needed):

SQL

— Suspicious curl invocations

SELECT * FROM process_open_files

WHERE pid IN (

SELECT pid FROM processes

WHERE name = ‘curl’ AND cmdline LIKE ‘%-fL%’ AND cmdline LIKE ‘%-sS%’ AND cmdline LIKE ‘%–noproxy%’

);

— Unusual binaries in user support directories

SELECT * FROM file

WHERE path LIKE ‘/Users/%/Library/Application Support/UserSyncWorker/%’;

— Launch persistence (if present)

SELECT * FROM launchd WHERE program_arguments LIKE ‘%UserSyncWorker%’;
Show more lines

macOS shell hunt (IT/SOC quick checks):

Shell

# Look for UserSyncWorker artifacts

ls -la ~/Library/”Application Support”/UserSyncWorker/ 2>/dev/null

tail -n 200 ~/Library/Logs/UserSyncWorker.log 2>/dev/null

# Suspicious curl usage in Unified Logs (last 48h)

log show –last 48h –predicate ‘eventMessage CONTAINS[c] “curl” AND eventMessage CONTAINS “-fL” AND eventMessage CONTAINS “-sS”‘

# Quarantine stripping & spctl usage

log show –last 48h –predicate ‘eventMessage CONTAINS[c] “com.apple.quarantine” OR eventMessage CONTAINS[c] “spctl”‘
Show more lines

EDR/SIEM ideas (example patterns):

  • Process creation: curl + flags (-fL -sS --noproxy), parent = notarized Swift app
  • File events: creation of /tmp/runner followed by deletion within minutes
  • Network: connections to gatemaden[.]space and focusgroovy[.]com
  • Cert telemetry: binaries signed by GNJLS3UYZ4 (historical sweep)

5) Incident Response: What to Do If You See It

  1. Isolate the endpoint (EDR network isolation).
  2. Preserve volatile data: running processes, network connections, Unified Logs, recent file events.
  3. Acquire artifacts: DMG, app bundle, UserSyncWorker directory, /tmp/runner (if present), Unified Logs near execution time.
  4. Revoke credentials: browser sessions, SSO tokens, SSH keys, API tokens; reset passwords with step‑up auth.
  5. Scope the blast radius: SIEM queries for domains, flags, filenames across fleet.
  6. Eradicate and recover: remove persistence, rebuild from golden image if integrity is uncertain, re‑enroll with MDM.
  7. Lessons learned: tighten policies, detections, and user comms (explain notarization limits).

Tools, Frameworks & Standards Alignment

  • MITRE ATT&CK (macOS): T1553, T1105, T1059, T1140, T1036, T1070, T1071, T1053/Logon Items
  • NIST SP 800‑53 Rev. 5:
    • SI-7 (Software, Firmware, and Information Integrity)
    • CM-7 (Least Functionality)
    • RA-5 (Vulnerability Monitoring/Scanning)
    • AU-6 (Audit Review, Analysis, and Reporting)
    • IR-4 (Incident Handling)
    • CA-9 (Internal System Connections)
  • ISO/IEC 27001:2022 (Annex A):
    • A.5.23 (Information security for use of cloud services)
    • A.8.16 (Monitoring activities)
    • A.8.28 (Secure coding)
    • A.8.32 (Change management)
    • A.8.8 / A.8.9 (User endpoint devices / Configuration)
  • Zero Trust Principles: Continuous verification, least privilege, explicit policy enforcement
  • macOS Platform Security Controls: Gatekeeper, Notarization, XProtect, MRT, TCC, Managed device profiles (MDM)

Best Practices & Actionable Steps (Executive Summary)

Do this now:

  • Blocklist IOCs (domains, path patterns, helper names).
  • Hunt for artifacts listed above across your fleet.
  • Enable block mode in your EDR so detections can prevent execution.
  • Constrain notarized apps with approval-based workflows (don’t auto-trust).
  • Harden TCC for sensitive directories and control curl/shell usage patterns.
  • Rotate secrets exposed via browsers or developer tooling; enforce passkeys/FIDO2.

Do this next:

  • Build detections for curl -fL -sS --noproxy and transient /tmp execution + deletion patterns.
  • Add launch persistence hunts around user‑writable paths.
  • Instrument Unified Logs and ensure centralized telemetry collection.
  • Update macOS baseline: firewall, DNS security, XProtect Remediator, MDM policies.
  • Conduct a tabletop covering signed/notarized malware abuse.

Key takeaway: Trust is a control surface attackers now target. Treat notarization as one signal in a broader, behavior‑based defense.

Case Snapshot: From Install to Exfil

  1. User mounts zk-call-messenger-installer-3.9.2-lts.dmg.
  2. The notarized Swift app runs, looking legitimate.
  3. runtimectl validates network, writes logs under UserSyncWorker, sets scheduling.
  4. Pulls encoded script via curl from gatemaden[.]space, using modified flags.
  5. Strips quarantine, validates with spctl, runs, then deletes /tmp/runner.
  6. Payload talks to focusgroovy[.]com (C2), stealing info.

FAQs (Schema‑friendly Q&A)

Q1. What is MacSync Stealer?
A macOS info‑stealer that now uses signed, notarized Swift apps to deliver payloads quietly, bypassing user suspicion and some default macOS checks.

Q2. How does it evade detection?
By abusing trust (code signing & notarization), modifying curl flags, using quarantine removal, spctl validation, transient /tmp payloads, and cleanup.

Q3. Does Apple’s notarization make apps safe?
No. Notarization is a submission‑time check. Attackers can pass initial scrutiny or exploit timing and identity rotation. Treat notarization as one signal—not a guarantee.

Q4. What are the most reliable detections?
Behavioral. Look for curl -fL -sS --noproxy, creation & quick deletion of /tmp/runner, UserSyncWorker artifacts, quarantine stripping, and suspicious spctl usage.

Q5. What should we block immediately?
Domains like gatemaden[.]space and focusgroovy[.]com, artifacts under UserSyncWorker, and binaries signed by the revoked Team ID GNJLS3UYZ4 (historical sweep).

Q6. Which frameworks help align defenses?
Map to MITRE ATT&CK techniques for detection; apply NIST SP 800‑53 (SI‑7, IR‑4, AU‑6) and ISO 27001 Annex A controls; adopt Zero Trust enforcement.

Conclusion

MacSync Stealer shows how trusted ecosystems can be subverted. Signed and notarized malware isn’t theoretical—it’s operational, evasive, and increasingly common. The right response is not fear but discipline: behavior‑based detection, policy‑driven app control, strong identity & browser hygiene, and rapid IR mapped to MITRE, NIST, and ISO.

If you’re responsible for macOS security, now is the time to:

  • Harden endpoints,
  • Instrument detections,
  • Block high‑risk domains,
  • Drill your incident response, and
  • Educate users that notarized ≠ safe.
Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *