{"id":904,"date":"2023-03-28T07:39:06","date_gmt":"2023-03-28T07:39:06","guid":{"rendered":"https:\/\/cybersecuritynest.com\/?p=904"},"modified":"2023-03-28T07:39:06","modified_gmt":"2023-03-28T07:39:06","slug":"new-macstealer-macos-malware-steals-passwords-from-icloud","status":"publish","type":"post","link":"https:\/\/cybersecuritynest.com\/?p=904","title":{"rendered":"New MacStealer macOS malware steals passwords from iCloud"},"content":{"rendered":"<aside class=\"mashsb-container mashsb-main mashsb-stretched\"><div class=\"mashsb-box\"><div class=\"mashsb-buttons\"><a class=\"mashicon-facebook mash-large mash-center mashsb-noshadow\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https%3A%2F%2Fcybersecuritynest.com%2F%3Fp%3D904\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Share&nbsp;on&nbsp;Facebook<\/span><\/a><a class=\"mashicon-twitter mash-large mash-center mashsb-noshadow\" href=\"https:\/\/twitter.com\/intent\/tweet?text=&amp;url=https:\/\/cybersecuritynest.com\/?p=904&amp;via=CYBERSECNEST\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Tweet&nbsp;on&nbsp;Twitter<\/span><\/a><a class=\"mashicon-subscribe mash-large mash-center mashsb-noshadow\" href=\"#\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Subscribe&nbsp;to&nbsp;Newsletter<\/span><\/a><div class=\"onoffswitch2 mash-large mashsb-noshadow\" style=\"display:none\"><\/div><\/div>\n            <\/div>\n                <div style=\"clear:both\"><\/div><\/aside>\n            <!-- Share buttons by mashshare.net - Version: 4.0.47--><p>MacStealer is a brand-new piece of information-stealing malware that targets Mac users. It steals credentials stored in the iCloud KeyChain, web browsers, cryptocurrency wallets, and potentially sensitive files.<\/p>\n<h2><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-905\" src=\"https:\/\/cybersecuritynest.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-28-at-08.35.43-300x173.png\" alt=\"\" width=\"695\" height=\"401\" srcset=\"https:\/\/cybersecuritynest.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-28-at-08.35.43-300x173.png 300w, https:\/\/cybersecuritynest.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-28-at-08.35.43-1024x591.png 1024w, https:\/\/cybersecuritynest.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-28-at-08.35.43-768x444.png 768w, https:\/\/cybersecuritynest.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-28-at-08.35.43.png 1496w\" sizes=\"(max-width: 695px) 100vw, 695px\" \/><\/h2>\n<h2><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-906\" src=\"https:\/\/cybersecuritynest.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-28-at-08.35.55-206x300.png\" alt=\"\" width=\"671\" height=\"977\" \/><\/h2>\n<h2>Targeting Mac users<\/h2>\n<p>MacStealer is being dispersed as a malware-as-a-administration (MaaS), where the engineer sells premade works for $100, permitting buyers to spread the malware in their missions.<\/p>\n<p>The new macOS malware can run on macOS Catalina (10.15) and up to the most recent version of Apple&#8217;s OS, Ventura (13.2), according to the Uptycs threat research team that discovered it.<\/p>\n<p>The developers of MacStealer have been promoting it on a dark web hacking forum since the beginning of the month, and Uptycs analysts came across it there.<\/p>\n<p>The seller asserts that the malware lacks panels or builders and is still in the early beta stage. Pre-built DMG payloads that can infect macOS Catalina, Big Sur, Monterey, and Ventura are instead offered for purchase.<\/p>\n<p>The threat actor says that the malware costs only $100 because it doesn&#8217;t have a builder or panel, but he says that more advanced features will come soon.<\/p>\n<p>The malware developer claims that MacStealer can steal the following data from compromised systems:<\/p>\n<ul>\n<li>Account passwords, cookies, and credit card details from Firefox, Chrome, and Brave.<\/li>\n<li>TXT, DOC, DOCX, PDF, XLS, XLSX, PPT, PPTX, JPG, PNG, CSV, BMP, MP3, ZIP, RAR, PY, and DB files<\/li>\n<li>Extract the Keychain database (login.keychain-db) in base64 encoded form<\/li>\n<li>Collect System information<\/li>\n<li>Collect Keychain password information<\/li>\n<li>Coinomi, Exodus, MetaMask, Phantom, Tron, Martian Wallet, Trust wallet, Keplr Wallet, and Binance cryptocurrency wallets<\/li>\n<\/ul>\n<p>The Keychain database is a secure storage system in macOS that holds users&#8217; passwords, private keys, and certificates, encrypting it with their login password. The feature can then automatically enter login credentials on web pages and apps.<\/p>\n<p>The perpetrators of the threat distribute MacStealer as a DMG file that is not signed and pretends to be something the victim is tricked into running on their macOS.<\/p>\n<p>The victim is then prompted to enter a fake password in order to execute a command that enables the malware to collect passwords from the compromised machine.<br \/>\nThe malware then gathers all of the data mentioned in the preceding section, archives them in a ZIP file, and transmits the stolen data to remote command and control servers for the threat actor to later collect.<\/p>\n<p>Simultaneously, MacStealer sends a fundamental data to a pre-designed Wire channel, permitting the administrator to be immediately informed when new information is taken and download the Compress record.<br \/>\nWhile the majority of MaaS attacks target Windows users, macOS users should remain vigilant and refrain from downloading files from questionable websites.<\/p>\n<p>A new Mac information-stealing malware was also discovered last month by security researcher iamdeadlyz as part of a phishing campaign aimed at &#8220;The Sandbox&#8221; blockchain game players.<\/p>\n<p>Additionally, this information thief targeted credentials saved in cryptocurrency wallets and browsers, such as Exodus, Phantom, Atomic, Electrum, and MetaMask.<\/p>\n<p>Malware developers will likely continue to target macOS in their search for cryptocurrency wallets to steal because threat actors are very interested in cryptocurrency wallets.<\/p>\n<aside class=\"mashsb-container mashsb-main mashsb-stretched\"><div class=\"mashsb-box\"><div class=\"mashsb-buttons\"><a class=\"mashicon-facebook mash-large mash-center mashsb-noshadow\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https%3A%2F%2Fcybersecuritynest.com%2F%3Fp%3D904\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Share&nbsp;on&nbsp;Facebook<\/span><\/a><a class=\"mashicon-twitter mash-large mash-center mashsb-noshadow\" href=\"https:\/\/twitter.com\/intent\/tweet?text=&amp;url=https:\/\/cybersecuritynest.com\/?p=904&amp;via=CYBERSECNEST\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Tweet&nbsp;on&nbsp;Twitter<\/span><\/a><a class=\"mashicon-subscribe mash-large mash-center mashsb-noshadow\" href=\"#\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Subscribe&nbsp;to&nbsp;Newsletter<\/span><\/a><div class=\"onoffswitch2 mash-large mashsb-noshadow\" style=\"display:none\"><\/div><\/div>\n            <\/div>\n                <div style=\"clear:both\"><\/div><\/aside>\n            <!-- Share buttons by mashshare.net - Version: 4.0.47-->","protected":false},"excerpt":{"rendered":"<p>MacStealer is a brand-new piece of information-stealing malware that targets Mac users. It steals credentials stored in the iCloud KeyChain, web browsers, cryptocurrency wallets, and potentially sensitive files. Targeting Mac users MacStealer is being dispersed as a malware-as-a-administration (MaaS), where the engineer sells premade works for $100, permitting buyers to spread the malware in their [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":907,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":"","_links_to":"","_links_to_target":""},"categories":[1,11],"tags":[162],"class_list":["post-904","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-os","category-wml","tag-twitter"],"aioseo_notices":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/posts\/904"}],"collection":[{"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=904"}],"version-history":[{"count":1,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/posts\/904\/revisions"}],"predecessor-version":[{"id":908,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/posts\/904\/revisions\/908"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/media\/907"}],"wp:attachment":[{"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=904"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=904"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=904"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}