慢霧首席資訊安全長 23pds 於 4 月 22 日發布警示,稱北韓駭客組織 Lazarus Group 已發布全新原生 macOS 惡意軟體工具包「Mach-O Man」,專門針對加密貨幣行業及高價值企業高管。
攻擊手法與目標
根據 Mauro Eldritch 的分析報告,本次攻擊採用 ClickFix 手法:攻擊者通過 Telegram(使用已被入侵的聯絡人帳號)發送偽裝成合法會議邀請的連結,將目標引導至仿冒 Zoom、Microsoft Teams 或 Google Meet 的假網站,並提示用戶在 macOS 終端執行命令以「修復」連線問題。此操作使攻擊者在不觸發傳統安全控制措施的情況下獲得系統訪問權限。
攻擊目標資料包括:瀏覽器儲存的憑證和 Cookie、macOS Keychain 數據,以及 Brave、Vivaldi、Opera、Chrome、Firefox 和 Safari 等瀏覽器的擴充功能數據。竊取的資料通過 Telegram Bot API 外洩;報告指出攻擊者暴露了 Telegram 機器人令牌(OPSEC 失誤),削弱了其行動安全性。
攻擊對象主要為金融科技及加密貨幣行業,以及 macOS 被廣泛使用的高價值企業環境中的開發者、高管和決策者。
Mach-O Man 工具包主要組件
根據 Mauro Eldritch 的技術分析,工具包由以下主要模組構成:
teamsSDK.bin:初始植入器,偽裝為 Teams、Zoom、Google 或系統應用,執行基本系統指紋識別
D1{隨機字串}.bin:系統分析器,收集主機名稱、CPU 類型、操作系統信息及瀏覽器擴充功能列表並傳送至 C2 伺服器
minst2.bin:持久化模組,建立偽裝「Antivirus Service」目錄及 LaunchAgent,確保每次登入後持續執行
macrasv2:最終竊取器,收集瀏覽器憑證、Cookie 及 macOS Keychain 條目,打包後通過 Telegram 外洩並自我刪除
關鍵入侵指標(IOC)摘要
根據 Mauro Eldritch 報告發布的 IOC:
惡意 IP:172[.]86[.]113[.]102 / 144[.]172[.]114[.]220
惡意域名:update-teams[.]live / livemicrosft[.]com
關鍵文件(部分): teamsSDK.bin、macrasv2、minst2.bin、localencode、D1YrHRTg.bin、D1yCPUyk.bin
C2 通訊端口: 8888 及 9999;主要使用 Go HTTP 用戶端 User-Agent 特徵字符串
完整哈希值及 ATT&CK 矩陣詳見 Mauro Eldritch 原始研究報告。
常見問題
「Mach-O Man」工具包針對哪些行業和目標?
根據慢霧 23pds 的警示及 BCA LTD 的研究,「Mach-O Man」主要針對金融科技和加密貨幣行業,以及 macOS 廣泛使用的高價值企業環境,特別是開發者、高管和決策者群體。
攻擊者如何誘導 macOS 用戶執行惡意命令?
根據 Mauro Eldritch 的分析,攻擊者通過 Telegram 發送偽裝成合法會議邀請的連結,將用戶引導至仿冒 Zoom、Teams 或 Google Meet 的假網站,提示用戶在 macOS 終端執行命令以「修復」連線問題,從而觸發惡意軟體安裝。
「Mach-O Man」如何實現數據外洩?
根據 Mauro Eldritch 的技術分析,最終模組 macrasv2 收集瀏覽器憑證、Cookie 及 macOS Keychain 數據後打包,通過 Telegram Bot API 外洩;同時攻擊者採用自我刪除腳本清除系統痕跡。
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Articoli correlati
AI16Z, ELIZAOS Creators Sued Over $2.6B Fraud Allegations; Token Crashes 99.9% From Peak
Federal class action accuses AI16Z/ELIZAOS of a $2.6B crypto fraud via fake AI claims and deceptive marketing, alleging insider favoritism and a staged autonomous system; seeks damages under consumer protection laws.
Abstract: This report covers a SDNY federal class-action filed April 21 accusing AI16Z and its rebrand ELIZAOS of a $2.6 billion crypto fraud involving fake AI claims and deceptive marketing. The suit alleges a manufactured link with Andreessen Horowitz and a non-autonomous system. It details a peak valuation in early 2025, a 99.9% crash, and about 4,000 losing wallets, with insiders receiving ~40% of new tokens. Plaintiffs seek damages and equitable relief under New York and California consumer-protection laws. Regulators in Korea and major exchanges have warned or suspended related trading.
GateNews8m fa
SlowMist Alerts: Active MacSync Stealer macOS Malware Targeting Crypto Users
SlowMist warns of MacSync Stealer (v1.1.2) for macOS that steals wallets, credentials, keychains, and infra keys, using spoofed AppleScript prompts and fake 'unsupported' errors; urges caution and awareness of IOCs.
Abstract: This report summarizes SlowMist's alert about MacSync Stealer (v1.1.2), a macOS information stealer targeting cryptocurrency wallets, browser credentials, system keychains, and infrastructure keys (SSH, AWS, Kubernetes). It deceives users with spoofed AppleScript dialogs prompting for passwords and visible fake 'unsupported' messages. SlowMist provides IOCs to customers and advises avoiding unverified macOS scripts and remaining vigilant for unusual password prompts.
GateNews1h fa
North Korean Lazarus Group Deploys Mach-O Man Malware to Steal Crypto Wallet Credentials from macOS Users
Lazarus releases Mach-O Man for macOS to steal keychain data and wallet credentials, targeting crypto executives via ClickFix pop-ups and compromised Telegram meetings.
Abstract: The article reports that the Lazarus-linked Mach-O Man malware targets macOS to exfiltrate keychain data, browser credentials, and login sessions to access cryptocurrency wallets and exchange accounts. Distribution relies on ClickFix social engineering and compromised Telegram accounts directing victims to fake meeting links. The piece ties the operation to the April 20 Kelp DAO hack and identifies TraderTraitor as Lazarus-affiliated, noting rsETH movement across blockchains via LayerZero’s OFT standard.
GateNews1h fa
ZachXBT Warns Against Bitcoin Depot ATM Over 44% Bitcoin Markup
ZachXBT warns Bitcoin Depot ATMs impose steep premiums—$25k fiat at $108k/BTC vs ~$75k market (about 44%), leading to ~ $7.5k loss on 0.232 BTC; also notes a $3.26M security breach.
This article summarizes ZachXBT's warnings about Bitcoin Depot's pricing practices and a recent security breach, highlighting risks from inflated rates and security lapses for users.
GateNews3h fa
Privacy Protocol Umbra Shuts Down Frontend to Block Attackers from Laundering Stolen Kelp Funds
Gate News message, April 22 — Privacy protocol Umbra has shut down its frontend website to prevent attackers from using the protocol to transfer stolen funds following recent attacks, including the Kelp protocol breach that resulted in losses exceeding $280 million. Approximately $800,000 in stolen
GateNews5h fa
