Skip to content

Novel macOS malware steals iCloud keychain data and passwords

  • by
  • 3 min read

A new macOS malware dubbed ‘MacStealer’ has appeared on underground hacking forums that can steal iCloud Keychain data and passwords from infected systems. This means documents, credit card data, browser cookies and login information in addition to Microsoft Office files, images, archives and Python scripts running on Catalina and newer macOS versions running on Intel, M1 and M2 macs are under threat. 

Overall, the stealer has the following capabilities:

  • Collects passwords, cookies and credit card data from Firefox, Chrome, and Brave browser.
  • Extract files with “.txt”, “.doc”, “.docx”, “.pdf”, “.xls”, “.xlsx”, “.ppt”, “.pptx”, “.jpg”, “.png”, “.csv”, “.bmp”, “.mp3”, “.zip”, “.rar”, “.py”,  and “.db” extensions.
  • Extract base64 encoded iCloud Keychain database.
The MacStealer malware attack vector. | Source: Uptycs

The malware is being advertised on hacking forms since at least early March and is still under active development. While it already has command and control (C2) functionality with Telegram, Uptycs researchers report that the dark web post advertising the malware promises the following upcoming features.

  • Draining Metamask, Coinomi and Exodus wallets.
  • Control panel to check new logs and stats.
  • Self-Builder to generate new builds.
  • Reverse Shell.
  • Custom uploader to upload logs on the attacker’s server.
  • Binding capabilities with another DMG/PGK/APP file. 

It also functions in a rather simple way. The payload is distributed using a .DMG file, which on execution opens a fake password prompt asking the user to enter their password to access system preferences. Once the password is entered, the stealer gathers the aforementioned data, combines it in a ZIP archive and sends it to a specific Telegram channel via a POST request using a Python User-Agent.

Fake password prompt generated by the malware. | Source: Uptycs

It even goes back and deletes the archive from the victim’s system during a cleanup operation post-exploitation. Additionally, since the malware affects the latest macOS version and there’s no fix from Apple at the time of writing, the only preventive measure here is to not install any untrusted or third-party apps in addition to only allowing the installation of files from trusted sources that allow the Apple App Store or App Store and identified developers. 

In the News: Twitter to only recommend paid users in its For You feed

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: