MacStealer malware pilfers passwords and crypto wallet data
Uptycs’ threat research team has discovered a new malware targetting MacOS users to steal their credentials stored in the iCloud KeyChain, web browsers, crypto wallets, and sensitive files.
According to Uptycs, the malware has been dubbed MacStealer, and its developers are distributing it as a malware-as-a-service — where they sell premade builds for buyers to spread malware through their campaigns.
Uptycs’ team says the malware can run on MacOS Cataline (10.15), up to Apple’s latest version of MacOS Ventura.
The team discovered the malware on a dark web hacking forum where a developer had been advertising it since the beginning of March.
According to their posts, the MacStealer malware can exfiltrate the following data from infected systems:
- Account passwords, cookies, and payment method details from Firefox, Chrome, and Brave;
- TXT, DOC, DOCX, PDF, XLS, XLSX, PPT, PPTX, JPG, PNG, CSV, BMP, MP3, ZIP, RAR, PY, and DB files;
- Keychain databases (login.keychain-db) in base64 encoded form;
- System information;
- Keychain password information; and,
- Details from a range of crypto wallets: Coinomi, Exodus, MetaMask, Phantom, Tron, Martian Wallet, Trust Wallet, Kepler Wallet, and Binance.
Regarding the malware’s functionality, it poses as an unsigned DMG (Apple Disk Image) file that shows a fake password prompt when executed.
The fake prompt then runs a command allowing the malware to collect passwords from the infected Mac.
It collects all of the data mentioned above, stores it in a ZIP file, and sends it to remote command and control servers for the attacker to access.
It also sends basic information to a Telegram channel, informing the threat actor when new data is stolen.
Loading ...