{"id":62258,"date":"2025-12-28T17:42:35","date_gmt":"2025-12-28T16:42:35","guid":{"rendered":"https:\/\/www.apfelpatient.de\/?p=62258"},"modified":"2025-12-29T14:32:44","modified_gmt":"2025-12-29T13:32:44","slug":"macos-gatekeeper-bypassed-through-a-two-stage-malware-chain","status":"publish","type":"post","link":"https:\/\/www.apfelpatient.de\/en\/news\/macos-gatekeeper-durch-zweistufige-malware-kette-umgangen","title":{"rendered":"macOS Gatekeeper bypassed via two-stage malware chain"},"content":{"rendered":"

Security features like Gatekeeper are among macOS's most important protection mechanisms. They are designed to prevent malware from running undetected and sensitive data from being leaked. However, a recent report shows that attackers have once again found ways to circumvent these safeguards. A new variant of the MacSync Stealer specifically exploits Apple's notarization process, thus achieving a new level of sophistication in attacks on macOS.<\/strong><\/p>\n\n\n\n

Gatekeeper has been considered an effective first line of defense against malware on macOS for years. In the past, attackers usually needed to trick users into taking action to circumvent this protection. This is precisely where the new attack method comes in. It reduces the necessary steps to a minimum and makes the infection process significantly less noticeable.<\/p>\n\n\n\n

Gatekeeper and its previous role under macOS<\/h4>\n\n\n\n

Gatekeeper on macOS checks whether applications are signed and notarized by Apple. If this is not the case, execution is blocked or at least accompanied by clear warnings. Previous malware campaigns therefore attempted to trick users into deliberately bypassing these warnings. Typical methods included manually opening applications via the context menu or running scripts via the Terminal.<\/p>\n\n\n\n

New findings from Jamf Threat Labs<\/h4>\n\n\n\n

Researchers at Jamf Threat Labs have reported<\/a> on a new variant of the MacSync Stealer that takes a different approach. Instead of bypassing Gatekeeper, it abuses its trust. The malware is distributed via a code-signed and notarized Swift application. This means the app formally meets all the requirements to be launched on macOS without a warning message.<\/p>\n\n\n\n

Camouflage as a legitimate application<\/h4>\n\n\n\n

The new variant is being distributed as an installer for a purported application called "zk-Call & Messenger." Users download this app via a web browser and can then open it normally with a double-click. Unlike previous versions, no right-click or explicit confirmation of opening is necessary, as it is a signed executable file.<\/p>\n\n\n\n

An inspection of the installation file shows that it is correctly signed and notarized. It is also linked to a valid developer team ID. The file size of approximately 25.5 MB is noteworthy. The actual script is relatively small, but the application has been bloated with additional files such as PDFs. This makes it appear to be a legitimate installer simply due to its size.<\/p>\n\n\n\n

The malware has a two-stage structure<\/h4>\n\n\n\n

The installation app does not directly contain the MacSync Stealer. After launching, it downloads a second payload from an external server. This server contains the actual malware, which is then installed on the target system. Technically, it is still an encrypted dropper. Many of the typical characteristics of MacSync Stealer are present.<\/p>\n\n\n\n

The crucial difference lies in the first stage. By using a notarized and signed app, this stage can completely bypass Gatekeeper's protection mechanisms. The actual malware is only downloaded from the internet later.<\/p>\n\n\n\n

Classification and previous developments<\/h4>\n\n\n\n

Jamf describes this case as an example of how malware authors are strategically refining their distribution methods to achieve as many infections as possible. According to the researchers, such a combination of a Swift-based, code-signed, and notarized application with a post-loaded payload has not been observed before.<\/p>\n\n\n\n

The trend of embedding malware in seemingly legitimate executable files is not new. Back in 2020, it was revealed that malicious code had been able to bypass Apple's notarization process because harmful scripts within applications went undetected. What's new this time is that the notarized app itself doesn't contain any malicious code, but only retrieves it from the internet after passing all the necessary checks. This significantly complicates detection during the notarization process.<\/p>\n\n\n\n

Reaction and current situation<\/h4>\n\n\n\n

Jamf reported the associated developer team ID to Apple. The affected certificate was subsequently revoked. However, at the time of publication of this report, the code directory hashes were not yet included in Apple's revocation list. This demonstrates that a window of time can still exist between discovery and complete revocation.<\/p>\n\n\n\n

macOS security doesn't end with Gatekeeper<\/h3>\n\n\n\n

The MacSync Stealer case illustrates that despite Gatekeeper and notarization, macOS is not a completely closed system. Attackers deliberately exploit the trust built through signing and authentication. Therefore, meticulous digital hygiene remains crucial for Mac users. This includes carefully checking which software is installed and from which sources it originates, such as from well-known developer websites or directly from the Mac App Store. Gatekeeper is an important security mechanism in macOS, but it does not replace vigilance and critical behavior in everyday use. (Image: Shutterstock \/ Pungu x)<\/p>\n\n\n\n