Mach-O Man Malware Steals macOS Keychain Data in Lazarus Group Crypto Campaign

Key Takeaways:

The fake site displays a simulated connection error and instructs the user to copy and paste a Terminal command to resolve it. This technique, known as Clickfix and adapted here for macOS, leads the user to execute the initial stager file, teamsSDK.bin, via curl. Because the user runs the command manually, macOS Gatekeeper does not block it.

The stager downloads a fake app bundle, applies ad-hoc code signing to make it appear legitimate, and prompts the user for their macOS password. The window shakes on the first two attempts and accepts the credential on the third, a deliberate design choice to build false trust.

A persistence module then drops a renamed file called Onedrive into a hidden path under a folder labeled “Antivirus Service” and registers a Launchagent called com.onedrive.launcher.plist so it runs automatically at login.

The final stage, a stealer binary labeled macrasv2, collects browser extension data, SQLite credential databases, and Keychain items, compresses them into a zip file, and exfiltrates the package through the Telegram Bot API. Researchers found the Telegram bot token exposed in the binary, which they described as a major operational security failure that could allow defenders to monitor or disrupt the channel.

The Quetzal Team published SHA-256 hashes for all major components, along with network indicators pointing to IP addresses 172.86.113.102 and 144.172.114.220. Security researchers noted the kit has been observed in use by groups beyond Lazarus, suggesting the tooling has been shared or sold within the threat actor ecosystem.