A new malware family targeting macOS systems has emerged with advanced detection evasion techniques and multi-stage attack chains.
Named DigitStealer, this information stealer uses multiple payloads to steal sensitive data while leaving minimal traces on infected machines.
The malware disguises itself as legitimate software and uses clever methods to bypass Apple’s security protections.
DigitStealer spreads through fake versions of popular macOS applications. The malware was discovered in an unsigned disk image file called DynamicLake.dmg, pretending to be a legitimate utility.
Users are tricked into running a file labeled “Drag Into Terminal.msi” which starts the infection process.
At the time of discovery, no antivirus engines on VirusTotal detected this threat, making it extremely dangerous.
What makes this malware stand out is its use of advanced hardware checks to avoid running on virtual machines or older Mac computers.
Jamf security researchers identified that DigitStealer specifically targets newer Apple Silicon systems, particularly M2 chips and above, while avoiding Intel-based Macs and even M1 devices.
The malware performs extensive system checks before executing its main payload.
The infection starts with a simple bash command that downloads an encoded script from a remote server. Once decoded, this script performs multiple verification steps to ensure it runs only on physical Mac computers with specific hardware features.
.webp "Highly Sophisticated macOS DigitStealer Employs Multi-Stage Attacks to Evade detection 3")
The malware checks the system locale and exits if it detects certain countries, potentially to avoid prosecution.
Detection Evasion Through Advanced Hardware Checks
DigitStealer uses sophisticated techniques to detect virtual machines and analysis environments. The malware queries hardware information using system commands and searches for keywords like “Virtual” or “VM” in the output.
If detected, the malware immediately stops execution. The most interesting aspect involves checking for specific Apple Silicon features using the following commands:-
sysctl -n hw.optional.arm.FEAT_BTI
sysctl -n hw.optional.arm.FEAT_SSBS
sysctl -n hw.optional.arm.FEAT_ECVThese commands verify whether advanced ARM processor features exist on the target system. Only M2 or newer chips have these capabilities, effectively limiting infections to the latest Mac computers.
This approach helps the malware avoid detection by security researchers who often use virtual machines or older hardware for analysis.
After passing all verification checks, DigitStealer downloads four separate payloads from remote servers.
Each payload has a specific purpose, from stealing browser credentials and cryptocurrency wallets to modifying legitimate applications like Ledger Live.
The malware uses legitimate Cloudflare services to host payloads, making detection and blocking more difficult.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
