A newly discovered multi-stage macOS stealer malware employs advanced techniques to capture user credentials and evade detection. The malware starts with a Swift-based dropper that presents a fake password prompt, tricking users into entering their credentials. This password prompt uses SwiftUI for its interface and includes a SecureField view to mask the input, creating the illusion of a legitimate application. The prompt is dynamically generated using the app’s Info.plist file, allowing the malware to masquerade as various applications by displaying different names from the CFBundleDisplayName key. This method ensures that the prompt appears to be part of a trusted application, increasing the chances of a victim entering their password.
Once the victim submits their password, the malware leverages the OpenDirectory API to verify its validity. The password is checked against the local directory’s user records, and if correct, the malware proceeds to download additional malicious scripts from a command-and-control server. This is the second stage of the attack, where bash scripts are executed, potentially enabling further malicious actions. The malware uses the Open Directory services of macOS, an LDAP-like protocol, to authenticate the captured credentials. This is a significant deviation from typical malware, which often relies on more commonly used methods like OSAScript for password verification.
The malware’s evasion techniques are noteworthy, as it avoids detection by security tools that focus on OSAScript, a method commonly exploited in previous malware variants. The dropper’s Swift code integrates API calls and custom logic to obscure its activities, ensuring that detection mechanisms fail to identify the malware during its initial stages. Furthermore, the malware developers use dynamic string handling to create deceptive prompts and obfuscate critical information, such as the URL of the C2 server, which is embedded in a Swift bridge object and disguised in the code. This level of sophistication demonstrates how attackers continue to evolve their techniques to bypass security measures.
After the password verification process is successful, the malware executes a function to close the main application window, signaling that the initial stage has been completed. The malware then prepares to fetch additional payloads from a remote server. The C2 server’s URL is encoded within the malware’s code, with the server located at “cryptomac.dev.” Once the C2 connection is established, the malware downloads further malicious components, potentially escalating the attack. This multi-stage approach underscores the complexity of the malware, relying on both clever social engineering and advanced technical methods to compromise macOS systems and evade detection.
Reference: