3个月前
紧急安全警报:警惕通过本资源下载提供商 Filecrate 分发的 macOS 恶意木马
在此特别提醒广大用户,本资源的下载提供商 Filecrate 可能会在下载过程中将用户导向恶意网站。这些恶意网站通常伪装成类似 GitHub 的页面,并诱导用户在终端执行一段以 echo "GitHub-AppInstaller 开头的命令。
这段代码会静默下载并运行名为 MacSync Stealer 的木马脚本。如果你曾按照此类步骤操作,并在运行后看到 “Your Mac does not support this application. Try reinstalling or downloading the version for your system.”(您的 Mac 不支持此应用程序)的报错弹窗,请务必高度警惕:这并非兼容性错误,而是木马在完成数据窃取后的伪装手段。
该脚本的具体危害如下:
针对性洗劫加密货币资产
脚本会精准窃取数十种桌面钱包(如 Exodus, Electrum, Atomic, Bitcoin Core 等)的私钥和数据。
它专门搜寻并提取浏览器中数十种钱包插件(如 MetaMask)的配置信息和数据。
脚本会检测并劫持 Ledger Live 或 Ledger Wallet 应用,通过远程下载恶意组件替换正版文件,并尝试对篡改后的应用进行重新签名以维持长期控制。
全方位窃取浏览器与系统凭据
自动抓取 Chrome、Firefox、Edge、Brave、Arc、Opera 等主流浏览器的登录密码、会话 Cookies 和历史记录。
通过伪造的“System Preferences”对话框骗取用户的 macOS 登录密码。
复制系统钥匙串(Keychains)文件以及本地存储的 SSH 密钥、AWS 凭据和 Kubernetes 配置文件。
深度扫描个人隐私文件
脚本会自动扫描桌面、文档、下载文件夹中符合特定后缀的文件(如 .pdf, .wallet, .key, .seed, .pem, .kdbx 等)并打包上传。
它还会窃取 Telegram Desktop 的账户数据以及 Apple Notes(备忘录)的本地数据库文件。
运行痕迹与清理
窃取的所有数据会被压缩为 /tmp/osalogging.zip 准备外传,脚本在运行结束后会尝试删除其在 /tmp/ 目录下的临时工作文件夹以掩盖踪迹。
安全建议:
绝不要执行任何来源不明的终端命令,尤其是以 echo "GitHub-AppInstaller" 开头的指令。
如果你已见过上述弹窗,请立即断网,在另一台安全的设备上转移所有加密货币资产。
更改所有重要账户密码,撤销可能已泄露的云服务访问密钥。
彻底卸载并重新从官方网站安装 Ledger Live 等安全相关软件。
————————————————————————————————
URGENT SECURITY ALERT: Malicious macOS Trojan Distributed via Filecrate (Download Provider for This Resource)
We would like to warn all users that Filecrate, the download provider for this resource, may redirect you to malicious websites during the download process. These sites often mimic GitHub pages and trick users into executing a command in the Terminal starting with: echo "GitHub-AppInstaller.
This command silently downloads and runs a Trojan script known as "MacSync Stealer." If you followed these steps and saw a popup message saying "Your Mac does not support this application. Try reinstalling or downloading the version for your system," please be extremely vigilant. This is NOT a compatibility error; it is a decoy used by the malware after it has finished stealing your data.
Key Risks of This Script:
Targeted Theft of Cryptocurrency Assets
The script steals private keys and data from dozens of desktop wallets (e.g., Exodus, Electrum, Atomic, Bitcoin Core).
It extracts configurations and data from numerous browser-based wallet extensions (e.g., MetaMask).
It detects and hijacks Ledger Live or Ledger Wallet apps by replacing legitimate files with malicious components downloaded from a remote server, attempting to re-sign the tampered apps to maintain control.
Comprehensive Theft of Browser and System Credentials
It harvests login passwords, session cookies, and history from major browsers including Chrome, Firefox, Edge, Brave, Arc, and Opera.
It uses a fake "System Preferences" dialog to trick users into providing their macOS login password.
It copies system Keychains and locally stored SSH keys, AWS credentials, and Kubernetes configurations.
Deep Scanning for Private Files
The script automatically scans Desktop, Documents, and Downloads folders for sensitive file types (e.g., .pdf, .wallet, .key, .seed, .pem, .kdbx) and prepares them for upload.
It also steals Telegram Desktop account data and local Apple Notes databases.
Traces and Cleanup
All stolen data is compressed into /tmp/osalogging.zip for exfiltration. The script then attempts to delete its temporary working folders in /tmp/ to hide its tracks.
Security Recommendations:
NEVER execute Terminal commands from untrusted sources, especially those starting with echo "GitHub-AppInstaller".
If you have seen the aforementioned popup, DISCONNECT FROM THE INTERNET IMMEDIATELY and use a separate, clean device to move all cryptocurrency assets.
Change passwords for all critical accounts and revoke any potentially compromised cloud service access keys.
Completely uninstall and reinstall security-related software like Ledger Live from official websites.
11个月前