When researchers modified the final line of the deobfuscated script to print rather than execute the payload, they uncovered the true functionality: credential harvesting through fake password prompts, execution of remote AppleScript commands, systematic extraction of Keychain contents, and targeted collection of cryptocurrency wallet data – all designed to exfiltrate valuable user information without detection. This method is particularly effective since macOS 12.3 removed system-installed Python, making PyInstaller a valuable tool for legitimate developers and malicious actors alike who need their Python-based applications to run seamlessly across different macOS environments without dependencies. The attackers are employing PyInstaller, an open-source utility designed to package Python applications into standalone executables, to bundle malicious code into seemingly innocent Mach-O binaries. When examining the FAT binary architecture of these malicious files, researchers found an interesting detail: the arm64 slice of the Mach-O file significantly outweighs the Intel slice (8MB versus 70KB), with the PyInstaller archive embedded near the end of the arm64 portion. The malware, discovered in April 2025, represents a sophisticated advancement in tactics used by threat actors targeting Apple systems, as it successfully remained undetected on popular scanning platforms for months. As this technique continues to evolve, security professionals recommend heightened vigilance around unsigned Mach-O executables, particularly those triggering unexpected password prompts or unusual system behavior. According to the security team’s analysis, this marks the first documented case of PyInstaller being used specifically for deploying infostealers on macOS systems. This code snippet demonstrates how the malware authors combined string reversal, base85 encoding, XOR encryption (with key 188), and zlib compression to conceal the malicious payload. When reversed, the code reveals the original Python script, including instructions for building the PyInstaller binary, further confirming the attacker’s methodical approach. During execution, the malware unpacks its bundled Python libraries into a temporary directory that exists only for the lifetime of the process, leaving minimal evidence on the filesystem. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 13 May 2025 12:30:12 +0000