MacStealer Malware Plucks Bushels of Data From Apple Users


Protect Your Access to the Internet

An information-stealing malware that targets Apple’s macOS operating system is making the cyberrounds, siphoning off documents, iCloud keychain data-like passwords, browser cookies, and more from unwitting Apple users.

Appropriately dubbed “MacStealer,” it’s going for just $100 per build on the cyber underground, so it’s no surprise that “more MacStealer samples have been spreading recently,” according to a recent Uptycs analysis on the threat.

The malware affects the Catalina version of macOS and subsequent versions that use Intel M1 and M2 CPUs. It also uses the encrypted Telegram messaging platform for command-and-control (C2), the researchers found.

To propagate, operators are looking for low-hanging fruit, hoping to harvest victims by luring them to download .DMG files, which are containers for macOS apps. Fake apps in app stores, piracy websites, or email attachments could all be potential conduits for infection.

“The bad actor uses a .DMG file to spread the malware. After a user executes the file, it opens a fake password prompt,” Uptycs researchers explained in the post. “Once the user enters their login credentials, the stealer … [compresses] the data and sends it to C2 via a POST request using a Python User-Agent request. It deletes the data and ZIP file from the victim’s system during a subsequent mop-up operation.”

This is just the latest malware to target Macs in recent months. In February, pirated versions of Apple’s Final Cut Pro video-editing software were found delivering a version of the XMRig cryptocurrency mining tool. And last year, a previously-unknown, macOS spyware called “CloudMensis” surfaced in a highly targeted campaign, exfiltrating documents, keystrokes, screen captures, and more from Apple machines.