Threat Database Mac Malware Gaslight macOS Malware

Gaslight macOS Malware

By Mezo in Mac Malware, Stealers

Cybersecurity researchers have uncovered a previously undocumented Rust-based malware strain for macOS that combines remote access capabilities with extensive information theft. The malware, named Gaslight, stands out because of its deliberate attempt to manipulate artificial intelligence tools used by malware analysts.

The campaign has been attributed with high confidence to threat actors aligned with North Korea. Unlike traditional malware that focuses solely on bypassing security controls, Gaslight attempts to undermine the confidence and decision-making of AI-assisted analysis systems.

Its most distinctive characteristic is an embedded sequence of fabricated system failure messages intended to convince large language model (LLM)-based analysis tools that the environment is unstable or compromised. Rather than attacking the sandbox or analysis platform directly, the malware seeks to distort the AI agent's perception of the investigation.

Telegram-Based Command-and-Control Infrastructure

At the core of Gaslight lies a Command-and-Control (C2) mechanism built around the Telegram Bot API. The malware enters a polling loop that enables operators to issue commands through an interactive shell and receive the execution results remotely.

If two instances attempt to communicate simultaneously using the same bot token, Telegram returns a 'Conflict' response, forcing the second instance to terminate.

The implant supports six primary commands that provide attackers with persistent control over an infected device:

  • help – displays available commands.
  • id – identifies the implant to the operator.
  • shell – executes shell commands through execvp.
  • kill – terminates a process using its PID.
  • upload – exfiltrates files through Telegram's attach:// mechanism.
  • stop – halts the implant's execution.

Researchers also discovered evidence of a seventh command, focus, although its purpose remains unknown.

Persistence Through Disguised System Services

To maintain long-term access to compromised systems, Gaslight creates a LaunchAgent that uses the label com.apple.system.services.activity within its .plist configuration file. This naming convention is intended to blend in with legitimate system components and avoid drawing attention.

Embedded Information-Stealing Capabilities

Gaslight contains a 6.6 KB Base64-encoded Python script that functions as a comprehensive data collection toolkit. The script gathers a wide range of information from the infected system, including:

Terminal command histories, installed applications, and running process snapshots.
Hardware and software profiles, the macOS Keychain database, and browser data from Chrome, Brave, Firefox, and Safari.

The harvested information is compressed into a ZIP archive named temp/collected_data.zip and then exfiltrated through Telegram.

Deployment of the Python stealer is handled by a separate 2 KB Base64-encoded Bash installer that installs a cpython-3.10.18 interpreter from the astral-sh/python-build-standalone project. Researchers noted that the script contains extensive comment headers and even emojis, indicators suggesting that portions of the code may have been generated with the assistance of a large language model.

Runtime Configuration and Self-Protection Features

A notable aspect of Gaslight is its operational flexibility. Critical information such as the Telegram bot token, chat identifier (tg_room_id), and other operator-specific settings are not embedded directly within the malware sample. Instead, these values are supplied at runtime.

The implant also protects sensitive operational details by automatically redacting its own Telegram bot token from runtime output, preventing analysts from recovering the information through logs or crash artifacts.

Weaponizing Prompt Injection Against Security Tools

Gaslight represents a significant evolution in malware design because it incorporates prompt injection techniques specifically intended to disrupt AI-driven security workflows.

The malware contains a Markdown-formatted block with 38 fabricated 'system' messages crafted to persuade security tools to abort, truncate, or refuse analysis entirely. These counterfeit messages reference issues such as token expiration, memory exhaustion, disk failures, repeated operational errors, injection vulnerabilities, and static-analysis warnings.

By introducing these deceptive prompts, the malware attempts to exploit the increasing reliance on LLM-assisted triage and reverse-engineering pipelines, turning AI-based analysis systems into targets of manipulation rather than merely obstacles to evade.

Trending

Most Viewed

Loading...