All news with #jamf tag

⚠️ Researchers at Jamf observed a ClickFix variation that uses the built-in Script Editor and the applescript:// URL scheme to deliver the Atomic Stealer (AMOS) to macOS users. Victims are lured to fake Apple-themed pages that launch Script Editor with prefilled AppleScript executing an obfuscated "curl | zsh" chain, avoiding the need to open Terminal. The delivered code decodes a base64+gzip payload, writes a Mach-O binary to /tmp/helper, strips extended attributes with "xattr -c", makes it executable, and runs it. Treat Script Editor prompts as high risk and follow official Apple troubleshooting guidance rather than third-party guides.

🚨 Jamf Threat Labs uncovered a reworked macOS infostealer masquerading as a legitimate signed app. The Swift dropper is code‑signed and notarized, delivered in a 25.5MB disk image posing as a messaging installer, and silently fetches and executes an encoded script through a helper. It runs mainly in memory, removes quarantine attributes, enforces a ~3600s delay before execution, and cleans up traces; Jamf reported the developer certificate and Apple revoked it.

⚠️ Researchers at Jamf report that MacSync Stealer now arrives as a code-signed, notarized Swift utility that can execute with minimal user interaction. The dropper fetches a payload script from a command-and-control server after installation. Because the app appears signed and notarized, Gatekeeper does not display extra warnings, allowing attackers to exploit a window before certificate revocation. This behavior highlights limitations in Apple’s automated notarization checks.

🔍 Researchers have identified two malware strains: a modular macOS backdoor named CHILLYHELL and a Go-based cross-platform RAT called ZynorRAT. Jamf Threat Labs links CHILLYHELL to UNC4487, noting extensive host profiling, multiple persistence techniques, timestomping, and multi-protocol C2 over HTTP and DNS. The notarized CHILLYHELL sample (uploaded to VirusTotal on May 2, 2025) underscores that signed binaries can be malicious. Sysdig analysis shows ZynorRAT is managed via a Telegram bot and supports file exfiltration, screenshots, system enumeration, and persistence on Linux and Windows.