New MacStealer macOS Malware Steals iCloud Keychain Data and Passwords


A fresh type of malware designed to steal sensitive data has targeted Apple's macOS operating system, with the intention of extracting information from infected devices.

MacStealer is a new kind of threat that exploits Telegram as a means of controlling and retrieving data, specifically targeting devices with macOS versions Catalina and above that utilize M1 or M2 central processing units (CPUs).

According to a recent report by Shilpesh Trivedi and Pratik Jeware from Uptycs, MacStealer is capable of taking away login details, cookies, and documents from the targeted person's browser.

At the beginning of the month, it was first promoted on internet forums for hacking at a cost of $100. However, this malicious software is still not complete and its creators intend to develop it further by including capabilities that will permit it to obtain information from Apple's Safari browser and the Notes application.

The current version of MacStealer has been created to obtain passwords for iCloud Keychain data and credit card information from various browsers such as Google Chrome, Mozilla Firefox, and Brave. Additionally, it has the capability to collect Microsoft Office documents, images, compressed files, and Python scripts.

It is unclear how the malware is distributed, but it appears to be in the form of a DMG file called "weed.dmg". Once opened, it displays a false password prompt that trick users into providing their passwords under the pretext of accessing the System Settings application.

In recent months, a number of info-stealing tools have emerged, including MacStealer, which joins an already extensive collection of similar programs that are currently in circulation.

Additionally, there is a new form of malware written in the programming language C# called HookSpoofer. It is influenced by StormKitty and has features such as keylogging and clipper abilities. The stolen data from these actions is sent to a Telegram bot.

Ducktail, a malware that steals browser cookies, is significant. It makes use of a Telegram bot to transmit stolen data and made a comeback in mid-February 2023 with improved strategies to avoid being detected.

Earlier this month, Simon Kenin, a researcher from Deep Instinct, explained that the process entails converting the initial infection source, which is a file containing harmful software, into another file containing a harmful LNK extension to initiate the chain of infection.

The Stealer malware is usually disseminated through various means such as email attachments, fraudulent software downloads, and other manipulative techniques employed in social engineering.

To reduce these risks, it is suggested that users ensure their operating system and security software are always current and refrain from downloading files or clicking on links from unfamiliar sources.

Last week, Phil Stokes, a researcher from SentinelOne, mentioned that as Macs gain popularity in leadership and development teams within organizations, the value of the data stored on them to potential attackers has also increased.

Post a Comment

Previous Post Next Post