New macOS Stealth Intrusion: Multi-Stage Collector Bypasses Quarantine – Are You Next? + Video

Listen to this Post

Featured Image

Introduction:

Beyond the usual AMOS stealer variants, threat actors are now deploying purpose-built macOS collectors that combine bash scripts, hidden temporary files, quarantine bypasses, and fake system prompts. This recently uncovered intrusion (shared by @malwrhunterteam & @L0Psec) uses a multi-stage attack chain to harvest browser data, Apple Notes, SSH keys, and keychain artifacts while beaconing to a remote C2 server with a unique run ID.

Learning Objectives:

  • Understand the complete macOS attack chain – from initial bash execution to second-stage payload drop and credential harvesting.
  • Learn to detect and hunt for IOCs using native macOS/Linux/Windows commands and threat hunting techniques.
  • Implement mitigation strategies to block C2 communication, remove quarantine bypasses, and monitor suspicious osascript prompts.

You Should Know:

  1. Unpacking the macOS Attack Chain: Step-by-Step Execution Analysis

The attacker begins with an initial bash script that downloads a payload from `193.233.128.50` into a hidden temp file. The payload is then staged at `~/Library/Caches/com.apple.coreservices/com.apple.periodic` and the quarantine attribute is stripped. After discovery and collection phases, a second stage (~4.5 minutes later) drops `~/Library/Caches/com.apple.softwareupdate/SoftwareUpdate` (again quarantine removed) and finally a fake macOS prompt via `osascript` harvests credentials.

Step‑by‑step guide to simulate (analysis only, do not run on live systems):

 Check for suspicious staged files on macOS
ls -la ~/Library/Caches/com.apple.coreservices/
ls -la ~/Library/Caches/com.apple.softwareupdate/

View quarantine extended attributes
xattr -l ~/Library/Caches/com.apple.coreservices/com.apple.periodic

Monitor bash history for download commands
cat ~/.bash_history | grep -E "curl|wget|193.233.128.50"

On Linux (for cross‑platform hunting)
grep -r "193.233.128.50" /var/log/ 2>/dev/null

On Windows (using PowerShell)
Select-String -Path "C:\Users\AppData\Local\Temp.ps1" -Pattern "193.233.128.50"
  1. Indicators of Compromise (IOCs) and Threat Hunting Commands

| IOC Type | Value |

|-|-|

| Malicious IP (download) | `193.233.128.50` |

| C2 IP and port | `95.163.152.79:8133` |

| C2 URI | `/api/t` (unique run ID) |

| Staging paths (macOS) | `~/Library/Caches/com.apple.coreservices/com.apple.periodic` |

| Second stage path | `~/Library/Caches/com.apple.softwareupdate/SoftwareUpdate` |

| Process (fake prompt) | `osascript` (with dialog text) |

Hunting commands:

 Search for network connections to C2 (macOS)
sudo lsof -i @95.163.152.79:8133
sudo netstat -anvp tcp | grep 95.163.152.79

Find files with specific names in caches
find ~/Library/Caches -name "com.apple.periodic" -o -name "SoftwareUpdate" 2>/dev/null

Extract all connections from unified logs (macOS 10.12+)
log show --predicate 'eventMessage contains "95.163.152.79"' --last 1d

Linux equivalent (netstat + grep)
sudo netstat -tunap | grep 95.163.152.79

Windows PowerShell (check active connections)
Get-NetTCPConnection | Where-Object {$_.RemoteAddress -eq "95.163.152.79"}
  1. Bypassing macOS Quarantine and Gatekeeper – How Attackers Do It

When a file is downloaded via browser or email, macOS attaches a quarantine flag (com.apple.quarantine). The attacker removes it using `xattr -d` before execution. This allows unsigned or notarized malware to run without Gatekeeper warnings.

Step‑by‑step guide to detect and prevent:

  • Check quarantine status:
    xattr -l /path/to/suspicious/file
    

  • Remove quarantine (legitimate use only for trusted files):

    xattr -d com.apple.quarantine /path/to/file
    

  • Monitor for bulk xattr removal:

    sudo fs_usage -w -f filesys | grep "xattr"
    

  • Prevent removal via TCC or Endpoint Security framework (requires third‑party EDR).

  • Use Santa (Google’s binary authorization tool) to block execution of files that lack quarantine but are not allowlisted.
  1. Credential Harvesting with osascript – Fake macOS Prompts

The attacker uses `osascript` to display a legitimate‑looking system dialog, tricking the user into entering their password. This mimics macOS’s own authorization prompts.

Example of malicious osascript (for educational analysis):

osascript -e 'display dialog "System Update Required. Enter your password to continue." default answer "" with hidden answer'

Detection & mitigation:

  • Monitor for osascript execution (especially with `display dialog` and with hidden answer):
    Log all osascript invocations (create a wrapper or use EDR)
    sudo log stream --predicate 'process == "osascript"' --debug
    

  • Search for recent osascript usage:

    grep "osascript" ~/.bash_history
    grep "display dialog" /var/log/system.log
    

  • Windows equivalent (VBScript or PowerShell credential prompts):

    Detect suspicious credential prompts (PowerShell)
    Get-WinEvent -LogName "Windows PowerShell" | Where-Object {$_.Message -like "Get-Credential"}
    

  • User training: Never enter password into unexpected popups. Use `Cmd+Option+Esc` to verify if the prompt is from a system process.

5. C2 Beacon Analysis and Network Defense

The collector beacons to `95.163.152.79:8133/api/t` with a unique run ID (likely to track victims). This is a simple HTTP beacon – defenders can block the IP, sinkhole the domain, or monitor for the URI pattern.

Step‑by‑step network hardening:

  • Block C2 IP at the firewall (macOS using pf):
    Edit /etc/pf.conf and add:
    block out on en0 from any to 95.163.152.79
    Then reload:
    sudo pfctl -f /etc/pf.conf && sudo pfctl -e
    

  • Linux (iptables):

    sudo iptables -A OUTPUT -d 95.163.152.79 -j DROP
    

  • Windows (Advanced Firewall via PowerShell):

    New-NetFirewallRule -DisplayName "Block C2 IP" -Direction Outbound -RemoteAddress 95.163.152.79 -Action Block
    

  • Monitor for `/api/t` beaconing using Zeek (Bro) or Suricata:

    Suricata rule example
    alert http any any -> any any (msg:"macOS C2 beacon"; http.uri; content:"/api/t"; sid:1000001;)
    

6. Mitigation and Hardening for macOS Endpoints

To prevent this specific intrusion and similar ones, implement the following:

  • Disable unnecessary caches as execution paths: Use configuration profiles to restrict execution from ~/Library/Caches.
  • Enable Gatekeeper and notarization checks (default on modern macOS).
  • Deploy Santa or BlockBlock to monitor persistent locations.
  • Audit keychain access: Regularly review `~/Library/Keychains/` for unexpected temp files.
  • Use EDR with behavioral rules for `xattr -d` followed by execution.
  • Linux/Windows parallels: On Linux, monitor `~/.cache` and `chmod +x` on downloaded files. On Windows, track `Zone.Identifier` alternate data streams (the equivalent of quarantine).

7. Threat Hunting Labs and Recommended Training

The complete intrusion dataset will be shared via Threat Hunting Labs. To prepare your team:

  • Courses: SANS FOR518 (Mac and iOS Forensics), TCM Security’s Practical Malware Analysis, and CrowdStrike’s Falcon OverWatch threat hunting training.
  • Labs: Build your own macOS sandbox (e.g., using VirtualBuddy or VMware Fusion) and simulate the attack with the IOCs listed above.
  • Practice commands: Recreate the hunting queries in a lab environment:
    Simulate detection of the staged file
    echo "Malicious payload" > ~/Library/Caches/com.apple.coreservices/com.apple.periodic
    sudo log show --predicate 'eventMessage contains "com.apple.periodic"' --last 10m
    

What Undercode Say:

  • macOS is no longer a safe haven. Attackers now invest in purpose-built, multi-stage collectors that rival Windows malware in sophistication.
  • Quarantine bypasses are trivial to execute but can be detected via EDR rules monitoring `xattr` usage and execution from unusual cache paths.
  • Credential harvesting via osascript is highly effective because users trust system dialogs. Behavioral detection of `osascript` combined with hidden answer flags is critical.
  • Threat hunting requires parity across OSes – use the same network IOCs (IPs, URIs) to hunt on Linux, Windows, and macOS.

Prediction:

Within the next 12 months, we will see a surge in cross-platform malware families that adapt the same multi-stage, quarantine-bypass techniques to Windows (via Mark-of-the-Web bypasses) and Linux (via cron and `~/.config` persistence). macOS will become a prime target for ransomware and infostealers in enterprise environments as traditional Windows defenses improve. Organizations must adopt unified endpoint detection and response (EDR) with behavioral rules that transcend operating system boundaries, or risk being blindsided by the next wave of macOS-specific intrusions.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Kostastsale Its – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky