Overview
- Jamf Threat Labs found a reworked MacSync sample delivered as a signed, notarized Swift app inside zk-call-messenger-installer-3.9.2-lts.dmg from zkcall.net that bypassed Gatekeeper at the time of analysis.
- The installer was signed under Developer Team ID GNJLS3UYZ4; Jamf reported it to Apple, and the associated certificate was subsequently revoked.
- The dropper quietly fetches an encoded script from a remote server, executes it via a helper, checks for internet access, throttles execution to roughly one hour intervals, removes quarantine attributes, and cleans up after running largely in memory.
- Evasion measures included inflating the disk image to 25.5MB with decoy PDFs and wiping scripts, while VirusTotal detections ranged from a single engine to about a dozen, often labeled as generic downloaders.
- Tracked as MacSync or Mac.C and linked to the actor “Mentalpositive,” the malware targets sensitive data such as the login.keychain-db, browser-stored passwords, iCloud keychain items, cryptocurrency wallets, and filesystem files.