Executive Summary
MacStealer is a new stealer malware targeting MacOS systems. It is capable of collecting passwords, cookies, and credit card data from several browsers and can extract multiple file types and steal KeyChain data.
Key Takeaways
- MacStealer is a new stealer malware targeting MacOS systems.
- MacStealer affects Catalina and later versions of MacOS on both M1 and M2 chips.
- MacStealer is capable of stealing browser data, multiple file types, and the victim’s KeyChain data.
What is MacStealer?
Uptycs recently reported on MacStealer, a stealer malware targeting MacOS systems. MacStealer affects Catalina and later versions of MacOS on both M1 and M2 chips. According to Uptycs researchers, MacStealer is available on the dark web for $100 USD per build.
MacStealer is capable of collecting passwords, cookies, and credit card data from Firefox, Chrome, and Brave browsers. It can extract multiple file types, including .txt, .doc, .docx,.pdf, .xls, .xlsx, .ppt, .pptx, .jpg, .png, .csv, .bmp, .mp3, .zip, .rar, .py, and .db. It can also steal KeyChain data, obtaining access to a victim’s saved passwords.
Threat actors use .DMG files to spread MacStealer. When the victim executes the file, a fake password prompt appears to gather passwords. MacStealer steals the user’s data, then ZIPs it and exfiltrates it to the C2. Like several other stealer families, MacStealer uses Telegram for C2. MacStealer cleans up after itself, deleting the ZIP file after the data is exfiltrated.
MacOS users often have a false sense of security, as MacOS has not been targeted by malware as heavily as Windows. In fact, MacOS had the least malware infections of all consumer operating systems in 2022, making up only 6.2% of infected systems. This is likely due to two factors. First, threat actors have been less likely to target MacOS devices, as most enterprises are more heavily reliant on Windows and Linux systems. Second, MacOS has multiple built-in security features, including XProtect, a built-in antivirus software, and Gatekeeper, a feature meant to prevent users from installing malware or suspicious programs by verifying downloaded apps.
However, as threat actors expand their repertoire, PolySwarm has seen an increase in the amount of malware developed to target MacOS and Linux devices. Threat actors are also creating MacOS and Linux variants of previously existing malware families. As more malware targeting MacOS emerges on the threat landscape, Mac users must be diligent to prevent having their machines compromised.
IOCs
PolySwarm has multiple samples of MacStealer.
F14dd83e60b8ca6d52e667ed85adafa9b849df33e428b005b05b7c6732de526a
5031aa79912fb23bcbe2209e015974fccb4b9e9334a9e8801833f07bd3a5ccfc
15d1afca780e2ea6ffec8c4862a3401e003b5e79ce5f9076b4eea4ab599bc4ce
d61666b49ef700cbd59c744bf5fca2e850be55a52f415102cf3ea1c1c2db18d4
You can use the following CLI command to search for all MacStealer samples in our portal:
$ polyswarm link list -f MacStealer
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports