The threat actors receive this on their personal Telegram bot. At the same time, a summary version of the information it stole is sent to pre-configured Telegram channels, alerting the threat actor that new stolen data is available for download.Ī data summary of what has been stolen by MacStealer. MacStealer also compresses everything it stole in a ZIP file and sends it to remote C&C servers for the threat actor to collect later.
Keychain database in its encoded (base64)form. Cryptocurrency wallets (Binance, Coinomi, Exodus, Keplr Wallet, Martian Wallet, MetaMask, Phantom, Tron, Trust Wallet). Account passwords, browser cookies, and stored credit card details in Firefox, Chrome, and Brave. The malware then proceeds to collect and save the following also within the TMP folder: MacStealer then saves the password in the affected system's temporary folder (TMP). Once achieved, a bogus password prompts users in an attempt to steal their real password. Users are manipulated to download and execute this file onto their systems. MacStealer arrives to target macOS systems as an unsigned disk image (.DMG) file. These are also why the developers distribute MacStealer as a malware-as-a-service (MaaS), selling at a low price of $100 and promising more advanced features in the future. According to the developers, it's still in the early beta stage, thus lacking a builder and panel. The malware has been promoted on a dark web forum since the beginning of March. MacStealer uses channels in Telegram as its command-and-control (C2) center. "There is no persistence method, and it relies on the user opening the app," he adds, considering the foreseeable features the developer wants to add to MacStealer in the future. Users of macOS Catalina (10.5) and versions dependent on Intel, Apple M1, and Apple M2 are affected by this malware.Īnd while MacStealer appears to be the mac malware to watch, it is pretty rudimentary, according to Thomas Reed, Malwarebytes' director of core technology. It can also extract the base64-encoded form of the database of Keychain, Apple's password manager. 
A new macOS malware-called MacStealer-that is capable of stealing various files, cryptocurrency wallets, and details stored in specific browsers like Firefox, Chrome, and Brave, was discovered by security researchers from Uptycs, a cybersecurity company specializing in cloud security.
0 kommentar(er)
