A recently discovered info-stealing malware, known as MacStealer malware, has been targeting Mac users, posing a significant risk to their stored iCloud KeyChain credentials, web browser data, cryptocurrency wallets, and potentially sensitive files.
This dangerous malware has been identified by the Uptycs threat research team and is currently being sold as a malware-as-a-service (MaaS) on the dark web. Purchasers can obtain pre-made builds for $100, enabling them to easily spread the malware in their campaigns. And since you can now synchronize your iCloud keychain passwords with Google Chrome, using other browsers won’t help to fight against the MacStealer malware too.
MacStealer is compatible with macOS Catalina (10.15) and all subsequent versions, up to the most recent Apple OS, Ventura (13.2). This stealthy malware was first spotted by Uptycs analysts on a dark web hacking forum, where the developer has been promoting it since early in the month.
Despite its early beta development stage, MacStealer does not come with panels or builders. Instead, the developer sells pre-built DMG payloads capable of infecting macOS Catalina, Big Sur, Monterey, and Ventura.
The MacStealer Malware menace
The malware creator justifies the relatively low price of $100 for MacStealer malware by citing the lack of a builder and panel. However, they promise to add more advanced features soon. According to the developer, MacStealer can extract the following data from compromised systems:
- Account passwords, cookies, and credit card information from Firefox, Chrome, and Brave
- A range of file types, including TXT, DOC, DOCX, PDF, XLS, XLSX, PPT, PPTX, JPG, PNG, CSV, BMP, MP3, ZIP, RAR, PY, and DB files
- The Keychain database (login.keychain-db) in base64 encoded form
- System information and Keychain password details
- Coinomi, Exodus, MetaMask, Phantom, Tron, Martian Wallet, Trust wallet, Keplr Wallet, and Binance cryptocurrency wallets
The Keychain database is a secure storage system in macOS, designed to hold users’ passwords, private keys, and certificates, encrypting them with their login password. This feature enables the automatic entry of login credentials on web pages and apps.
How does MacStealer malware operate?
MacStealer is distributed as an unsigned DMG file, posing as an innocuous file that victims are tricked into executing on their macOS systems. Once executed, a fake password prompt is presented to the victim, which, when entered, allows the malware to collect passwords from the compromised machine.
Subsequently, the malware gathers all the data mentioned above, stores it in a ZIP file, and sends the stolen information to remote command and control servers for later retrieval by the threat actor.
Simultaneously, MacStealer malware sends basic information to a pre-configured Telegram channel, allowing the operator to receive quick notifications when new data is stolen and download the ZIP file. Although most MaaS operations target Windows users, macOS is not immune to such threats. Mac users should remain vigilant and avoid downloading files from untrustworthy websites to protect themselves from this emerging threat.
The rising usage of Mac malwares
Last month, security researcher iamdeadlyz discovered another Mac information-stealing malware distributed in a phishing campaign aimed at players of ‘The Sandbox’ blockchain game. Similar to MacStealer, this information stealer also targeted credentials saved in browsers and cryptocurrency wallets, including Exodus, Phantom, Atomic, Electrum, and MetaMask.
With the increasing value of cryptocurrencies and the growing popularity of Mac systems, it is expected that more malware developers will target macOS users in their quest to steal valuable cryptocurrency wallets.
As a result, Mac users must remain cautious, update their systems regularly, and use robust security measures to protect their devices and sensitive information from malicious actors like those behind MacStealer malware.
In conclusion, the emergence of the MacStealer malware highlights the growing threat landscape for Mac users. Cybercriminals are increasingly targeting macOS devices in search of valuable data and cryptocurrency wallets. As the MacStealer malware continues to evolve and potentially gain more advanced features, it is crucial for Mac users to remain vigilant and prioritize their digital security.
