MacStealer

A recently discovered malware known as MacStealer is posing a threat to users of Apple's Mac operating system. This particular malware has been designed to steal sensitive information from its victims, including their iCloud KeyChain credentials, web browser login information, cryptocurrency wallets, and potentially other important files.

What makes MacStealer, especially concerning is that it is being distributed as a 'Malware-as-a-Service' (MaaS) platform, which means that the developer is offering premade builds of the malware for sale to others who wish to spread it further. These premade builds are available for purchase for $100, making it easier for malicious actors to incorporate the malware into their own campaigns.

According to the researchers at Uptycs, who first discovered MacStealer, the threat is able to run on macOS Catalina (10.15) and all versions up to the most recent, Ventura (13.2). This means that virtually all Mac users are potentially vulnerable to this malware.

MacStealer can Compromise a Wide Range of Sensitive Information

MacStealer is malware that was uncovered on a Dark Web illicit forum, where the developer has been promoting it. The seller claims that the malware is still in its early beta development phase and as such, offers no panels or builders. Instead, the malware is sold as pre-built DMG payloads that are capable of infecting macOS Catalina, Big Sur, Monterey, and Ventura.

The threat actor states that the threat is being sold for so low due to the lack of a builder or panel but promises that more advanced features will be added soon. According to the developer, MacStealer is capable of stealing a wide range of sensitive data from compromised systems.

For instance, MacStealer can reportedly steal account passwords, cookies, and credit card details from popular web browsers such as Firefox, Chrome, and Brave. Additionally, it can extract numerous types of files, including DOC, DOCX, PDF, TXT, XLS, XLSX, PPT, PPTX, CSV, BMP, MP3, JPG, PNG, ZIP, RAR, PY, and DB files.

The malware is also capable of extracting the Keychain database (login.keychain-db) in a base64 encoded form. This is a secure storage system in macOS systems that holds users' passwords, private keys, and certificates, encrypting them with their login password. The feature can automatically enter login credentials on web pages and apps.

Lastly, MacStealer can collect system information, Keychain password information, and steal cryptocurrency wallets from numerous crypto-wallets - Coinomi, Exodus, MetaMask, Martian Wallet, Phantom, Tron, Trust wallet, Keplr Wallet, and Binance. All of these features make MacStealer a highly dangerous and concerning malware for Mac users.

The Operational Flow of the MacStealer Malware

MacStealer is distributed by the threat actors as an unsigned DMG file. The file is intended to be disguised as something legitimate or desirable to trick the victim into executing it on their macOS system. Once the victim executes the file, a fake password prompt appears, which runs a command that enables the malware to collect passwords from the compromised machine.

After the passwords are collected, MacStealer proceeds to collect other sensitive data, such as account passwords, cookies, credit card details, cryptocurrency wallets, and potentially sensitive files. It then stores all of this data in a ZIP file, which is sent to remote Command-and-Control servers to be collected later by the threat actor.

At the same time, MacStealer sends specific basic information to a pre-configured Telegram channel, which allows the threat actor to be quickly notified every time new data is stolen and download the ZIP file.

While most Malware-as-a-Service (MaaS) operations target Windows users, macOS is not immune to such threats. Therefore, it is important for macOS users to stay vigilant and avoid installing files from untrustworthy websites. Additionally, users should keep their operating systems and security software up to date to protect against the latest threats.