Beware of MacStealer: A New Malware Targeting macOS Catalina Devices

The new MacStealer malware is being advertised on a notorious Russian hacker and cybercrime forum.

MacStealer steals extensive data from a targeted device, including personal data, iCloud Keychain data, images, passwords, and credit card details.

If your device runs on macOS Catalina, be cautious because a new malware has surfaced dubbed MacStealer, which mainly targets Catalina-running Mac devices and infects both Apple Silicon and Intel chips.

MacStealer steals a wide range of user data

Security researchers at Uptycs discovered MacStealer and observed that it steals extensive data from the device, including personal data, iCloud Keychain data, images, passwords, and credit card details.

Furthermore, the malware can steal browser cookies, documents, and login details from the targeted Mac. It works specifically on MacOS Catalina-based Macs. The malware steals cookies and credentials from Google Chrome, Firefox, and Brave browsers along with extracting the Keychain database.

Moreover, it can obtain several file types, such as text files, MP3s, photographs, PowerPoint files, and databases.

How Does the Attack Take Place?

The attack starts by taking the Keychain wholesale without accessing its data. The stolen database is transmitted to the attacker via Telegram in encrypted form. A separate ZIP folder is also shared with the attacker through a Telegram bot.

The malware developer, who is selling access to MacStealer for $100 per build, claims that the extracted Keychain cannot be accessed without the master password.

The developer has provided a list of upcoming features of MacStealer, which includes stealing funds from cryptocurrency wallets, a dedicated tool for creating new builds, a custom uploader, a reverse shell, and a control panel. The upcoming versions may also feature the capability to steal data from the Safari browser and Apple Notes.

This is what the MacStealer malware developer has to say on a Russian hacker forum (Image credit: Uptycs)

How to Stay Safe?

Researchers couldn’t identify how MacStealer moves between Macs. Initial infections were caused by the weed.dmg app, which bears the icon of a leaf and appears as an executable. When this file is opened, it displays a fake macOS password prompt.

(Image credit: Uptycs)

It is worth noting that this prompt isn’t the same as the genuine macOS password prompt. If the user enters credentials, the tool can access other documents on the device. Therefore, if you are an experienced Mac user, it would be easier to identify this difference.

Keep your Mac device updated and patched, and only download/install files from trusted sources, such as the App Store.

  1. 5 macOS Monterey Issues You Need to Fix
  2. macOS Hit By New “Alchimist” Attack Framework
  3. macOS Users hit by Chinese Iron Tiger APT Group
  4. DazzleSpy infects macOS through hacked websites
  5. Multi-platform SysJoker backdoor hits macOS devices
Related Posts