Windows/Mac/Linux

New MacStealer macOS malware steals passwords from iCloud

Published

on

MacStealer is a brand-new piece of information-stealing malware that targets Mac users. It steals credentials stored in the iCloud KeyChain, web browsers, cryptocurrency wallets, and potentially sensitive files.

Targeting Mac users

MacStealer is being dispersed as a malware-as-a-administration (MaaS), where the engineer sells premade works for $100, permitting buyers to spread the malware in their missions.

The new macOS malware can run on macOS Catalina (10.15) and up to the most recent version of Apple’s OS, Ventura (13.2), according to the Uptycs threat research team that discovered it.

The developers of MacStealer have been promoting it on a dark web hacking forum since the beginning of the month, and Uptycs analysts came across it there.

The seller asserts that the malware lacks panels or builders and is still in the early beta stage. Pre-built DMG payloads that can infect macOS Catalina, Big Sur, Monterey, and Ventura are instead offered for purchase.

The threat actor says that the malware costs only $100 because it doesn’t have a builder or panel, but he says that more advanced features will come soon.

The malware developer claims that MacStealer can steal the following data from compromised systems:

  • Account passwords, cookies, and credit card details from Firefox, Chrome, and Brave.
  • TXT, DOC, DOCX, PDF, XLS, XLSX, PPT, PPTX, JPG, PNG, CSV, BMP, MP3, ZIP, RAR, PY, and DB files
  • Extract the Keychain database (login.keychain-db) in base64 encoded form
  • Collect System information
  • Collect Keychain password information
  • Coinomi, Exodus, MetaMask, Phantom, Tron, Martian Wallet, Trust wallet, Keplr Wallet, and Binance cryptocurrency wallets

The Keychain database is a secure storage system in macOS that holds users’ passwords, private keys, and certificates, encrypting it with their login password. The feature can then automatically enter login credentials on web pages and apps.

The perpetrators of the threat distribute MacStealer as a DMG file that is not signed and pretends to be something the victim is tricked into running on their macOS.

The victim is then prompted to enter a fake password in order to execute a command that enables the malware to collect passwords from the compromised machine.
The malware then gathers all of the data mentioned in the preceding section, archives them in a ZIP file, and transmits the stolen data to remote command and control servers for the threat actor to later collect.

Simultaneously, MacStealer sends a fundamental data to a pre-designed Wire channel, permitting the administrator to be immediately informed when new information is taken and download the Compress record.
While the majority of MaaS attacks target Windows users, macOS users should remain vigilant and refrain from downloading files from questionable websites.

A new Mac information-stealing malware was also discovered last month by security researcher iamdeadlyz as part of a phishing campaign aimed at “The Sandbox” blockchain game players.

Additionally, this information thief targeted credentials saved in cryptocurrency wallets and browsers, such as Exodus, Phantom, Atomic, Electrum, and MetaMask.

Malware developers will likely continue to target macOS in their search for cryptocurrency wallets to steal because threat actors are very interested in cryptocurrency wallets.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version