A new macOS malware dubbed ‘MacStealer’ has appeared on underground hacking forums that can steal iCloud Keychain data and passwords from infected systems. This means documents, credit card data, browser cookies and login information in addition to Microsoft Office files, images, archives and Python scripts running on Catalina and newer macOS versions running on Intel, M1 and M2 macs are under threat.
Overall, the stealer has the following capabilities:
- Collects passwords, cookies and credit card data from Firefox, Chrome, and Brave browser.
- Extract files with “.txt”, “.doc”, “.docx”, “.pdf”, “.xls”, “.xlsx”, “.ppt”, “.pptx”, “.jpg”, “.png”, “.csv”, “.bmp”, “.mp3”, “.zip”, “.rar”, “.py”, and “.db” extensions.
- Extract base64 encoded iCloud Keychain database.
The malware is being advertised on hacking forms since at least early March and is still under active development. While it already has command and control (C2) functionality with Telegram, Uptycs researchers report that the dark web post advertising the malware promises the following upcoming features.
- Draining Metamask, Coinomi and Exodus wallets.
- Control panel to check new logs and stats.
- Self-Builder to generate new builds.
- Reverse Shell.
- Custom uploader to upload logs on the attacker’s server.
- Binding capabilities with another DMG/PGK/APP file.
It also functions in a rather simple way. The payload is distributed using a .DMG file, which on execution opens a fake password prompt asking the user to enter their password to access system preferences. Once the password is entered, the stealer gathers the aforementioned data, combines it in a ZIP archive and sends it to a specific Telegram channel via a POST request using a Python User-Agent.
It even goes back and deletes the archive from the victim’s system during a cleanup operation post-exploitation. Additionally, since the malware affects the latest macOS version and there’s no fix from Apple at the time of writing, the only preventive measure here is to not install any untrusted or third-party apps in addition to only allowing the installation of files from trusted sources that allow the Apple App Store or App Store and identified developers.
In the News: Twitter to only recommend paid users in its For You feed