Structured telemetry and analytics cybersecurity firm Uptycs has discovered a new macOS malware stealer it is calling MacStealer.
The threat intelligence team at Uptycs discovered MacStealer during one of its Dark Web hunting explorations. It joins three Windows-based malware families using Telegram in 2023, including Titan Stealer, Parallax RAT, and HookSpoofer, all of which exploit stealer command and control (C2).
"The stealer can extract documents, cookies from a victim's browser, and login information. It affects Catalina and subsequent macOS versions riding on Intel M1 and M2 CPUs," according to an Uptycs blog post.
"The stealer exhibits the following capabilities:
- Collect the passwords, cookies, and credit card data from Firefox, Google Chrome, and Brave browsers
- Extract files (.txt, .doc, .docx, .pdf, .xls, .xlsx, .ppt, .pptx, .jpg, .png, .csv, .bmp, .mp3, .zip, .rar, .py, .db)
- Extract KeyChain database (base64 encoded)"
MacStealer is designed to extract iCloud Keychain data, passwords, and credit card information from Google Chrome, Mozilla Firefox, and Brave browsers. It also features support for harvesting Microsoft Office files, images, archives, and Python scripts.
Phil Stokes of SentinelOne wrote in a recent blog post:
"Perhaps prized above all data on a user's Mac is the user's keychain, an encrypted database used to store passwords, authentication tokens, and encryption keys. The keychain uses strong encryption that can't be broken simply by stealing the database or even accessing the computer. However, the weakness of the keychain is that its secrets can all be unlocked if the attacker knows the user's login password. If that password is weak, easily guessable, or—as is most common—voluntarily given up to a malicious process by request, the strength of the keychain's encryption is entirely irrelevant."
The method used to deliver the MacStealer malware has not yet been identified, but it is propagated as a DMG file (weed.dmg) that opens a fake password prompt to harvest the passwords using the false pretense it is seeking access to the System Settings app.
Here's an Uptycs post from July 2022 talking about KurayStealer, a malware builder written in Python that harvests passwords and screenshots and sends them to the attackers' Discord channel via webhooks.
Uptycs is sponsoring and participating in a panel discussion at the SecureWorld Financial Services virtual conference on May 17th.
And SentinelOne is providing thought leadership at the SecureWorld Philadelphia conference on April 19-20 with Michael Leland, Chief Cybersecurity Evangelist & Head of Technical Marketing, speaking on "Debunking Common Myths About XDR."
More from SentinelOne on macOS malware programs, such as MacStealer:
"As noted, a user's login keychain is of little use to an unauthorized party unless they also possess the login user's passwords, and as login passwords serve as either necessary or sufficient authentication for almost every other operation on a Mac device, they are highly sought after by threat actors.
Password theft can be accomplished in a number of ways: through spoofing, through keylogging, or simply by asking for authorization for some trivial task and using that authorization for something more nefarious.
Malware will typically ask a victim to elevate privileges so that it can install a privileged executable that will subsequently run as root and accomplish whatever tasks the attacker has in mind; often, LaunchDaemons are used for this. A good example of this TTP is seen in the CloudMensis/BadRAT spyware discovered independently by both ESET and Volexity."
