iCloud Keychain Passwords And Data Stolen by New MacStealer macOS Malware

iCloud Keychain Passwords And Data Stolen by New MacStealer macOS Malware

A new kind of information-stealing malware has targeted Apple’s macOS operating system to steal private data from infected devices. The most recent instance of a threat using Telegram as a command-and-control (C2) platform to leak data is known as MacStealer. It mostly affects machines using M1 and M2 CPUs running macOS Catalina and later.

“MacStealer has the ability to steal documents, cookies from the victim’s browser, and login information,” Uptycs researchers Pratik Jeware and Shilpesh Trivedi said in the latest report.

The malware is still a work in progress, with the creators intending to add functionality to gather data from Apple’s Safari browser and the Notes app. It was first offered on online hacker forums at the beginning of the month. As it is, MacStealer is made to take credit card numbers, passwords, and information from iCloud Keychain from browsers including Google Chrome, Mozilla Firefox, and Brave. Additionally, it has the capability for gathering Python scripts, images, and Microsoft Office files.

The malware is spread through a DMG file (weed.dmg) that, when run, presents a fake login prompt to collect passwords while pretending to be trying to access the System Settings program. The specific mechanism used to distribute the malware is unknown. MacStealer is only one of several info-stealers that have emerged in the past few months, and it joins a big number of other comparable programs that are already widely available.

This also contains HookSpoofer, a new piece of malware based on C# that was inspired by StormKitty, has keylogging and clipper capabilities, and sends the data it steals to a Telegram bot. Ducktail is another notable browser cookie-stealing malware that employs a Telegram bot to exfiltrate data. It first surfaced in mid-February 2023 and has since returned with enhanced methods for evading detection.

This includes “changing the initial infection from an archive containing a malicious executable to an archive containing a malicious LNK file that would start the infection chain,” Deep Instinct research expert Simon Kenin said earlier this month.

Stealer malware often spreads via a variety of methods, including email attachments, fake software downloads, and other forms of social engineering. Users are advised to avoid downloading files or clicking links from unidentified sources and to keep their operating system and security software up to date to reduce the risk of such attacks. According to SentinelOne analyst Phil Stokes, the data kept on Macs is more valuable to attackers as they are used more often in the workplace by leadership and development teams.

About the author

Yehudah Sunshine

Yehudah Sunshine

Bringing together his diverse professional cyber know-how, intellectual fascination with history and culture, and eclectic academic background focusing on diplomacy and the cultures of Central Asia, Yehudah Sunshine keenly blends his deep understanding of the global tech ecosystem with a nuanced worldview of the underlying socio-economic and political forces which drive policy and impact innovation in the cyber sectors. Yehudah's current work focuses on how to create and or opportunities enhance marketing strategies and elevate cyber driven thought leadership for cyfluencer (www.cyfluencer .com), the cybersecurity thought leadership platform. Sunshine has written and researched extensively within cybersecurity, the service sectors, international criminal accountability, Israel's economy, Israeli diplomatic inroads, Israeli innovation and technology, and Chinese economic policy.