研究人员发现,该样本以名为 zk-call-messenger-installer-3.9.2-lts.dmg 的磁盘镜像形式传播,通过伪装成即时通讯或工具类应用诱导用户下载。与以往不同,新版本无需用户进行任何终端操作,而是由内置的 Swift 辅助程序从远程服务器拉取并执行编码脚本,完成信息窃取流程。
该恶意程序已完成代码签名并通过苹果公证,开发者团队 ID 为 GNJLS3UYZ4,相关哈希在分析时尚未被苹果吊销。这意味着其在默认 macOS 安全机制下具有更高的“可信度”,更容易绕过用户警惕。研究还发现,该 DMG 体积异常偏大,内含 LibreOffice 相关 PDF 等诱饵文件,用于进一步降低怀疑。
Disclaimer: Investing carries risk. This is not financial advice. The above content should not be regarded as an offer, recommendation, or solicitation on acquiring or disposing of any financial products, any associated discussions, comments, or posts by author or other users should not be considered as such either. It is solely for general information purpose only, which does not consider your own investment objectives, financial situations or needs. TTM assumes no responsibility or warranty for the accuracy and completeness of the information, investors should do their own research and may seek professional advice before investing.