{"id":21648,"date":"2023-04-03T16:11:55","date_gmt":"2023-04-04T00:11:55","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/04\/03\/news-15379\/"},"modified":"2023-04-03T16:11:55","modified_gmt":"2023-04-04T00:11:55","slug":"news-15379","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/04\/03\/news-15379\/","title":{"rendered":"New macOS malware steals sensitive info, including a user&#8217;s entire Keychain database"},"content":{"rendered":"<p>A new macOS malware&mdash;called MacStealer&mdash;that is capable of stealing various files, cryptocurrency wallets, and details stored in specific browsers like Firefox, Chrome, and Brave, was&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.uptycs.com\/blog\/macstealer-command-and-control-c2-malware\" target=\"_blank\">discovered<\/a>&nbsp;by security researchers from Uptycs, a cybersecurity company specializing in cloud security. It can also extract the base64-encoded form of the database of Keychain, Apple&#8217;s password manager. Users of macOS Catalina (10.5) and versions dependent on Intel M1 and M2 are affected by this malware.<\/p>\n<p>And while MacStealer appears to be&nbsp;<em>the<\/em>&nbsp;mac malware to watch, it is pretty rudimentary, according to Thomas Reed, Malwarebytes&#8217; director of core technology. &#8220;There is no persistence method, and it relies on the user opening the app,&#8221; he adds, considering&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.uptycs.com\/blog\/macstealer-command-and-control-c2-malware\" target=\"_blank\">the foreseeable features<\/a>&nbsp;the developer wants to add to MacStealer in the future.<\/p>\n<p>MacStealer uses channels in Telegram as its command-and-control (C2) center. The malware has been promoted on a dark web forum since the beginning of March. According to the developers, it&#8217;s still in the early beta stage, thus lacking a builder and panel. These are also why the developers distribute MacStealer as a malware-as-a-service (MaaS), selling at a low price of $100 and promising more advanced features in the future.<\/p>\n<p>MacStealer arrives to target macOS systems as an unsigned disk image (.DMG) file. Users are manipulated to download and execute this file onto their systems. Once achieved, a bogus password prompts users in an attempt to steal their real password. MacStealer then saves the password in the affected system&#8217;s temporary folder (TMP).<\/p>\n<p>The malware then proceeds to collect and save the following also within the TMP folder:<\/p>\n<ul>\n<li>Account passwords, browser cookies, and stored credit card details in Firefox, Chrome, and Brave<\/li>\n<li>Cryptocurrency wallets (Binance, Coinomi, Exodus, Keplr Wallet, Martian Wallet, MetaMask, Phantom, Tron, Trust Wallet)<\/li>\n<li>Keychain database in its encoded (base64)form<\/li>\n<li>Keychain password in text format<\/li>\n<li>Various files (.TXT, .DOC, .DOCX, .PDF, .XLS, .XLSX, .PPT, .PPTX, .JPG, .PNG, .CVS, .BMP, .MP3, .ZIP, .RAR, .PY, .DB)<\/li>\n<li>System information in text form<\/li>\n<\/ul>\n<p>MacStealer also compresses everything it stole in a ZIP file and sends it to remote C&amp;C servers for the threat actor to collect later. At the same time, a summary version of the information it stole is sent to pre-configured Telegram channels, alerting the threat actor that new stolen data is available for download.<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/easset_upload_file13057_262665_e.png\" alt=\"\" width=\"508\" height=\"738\" \/><br \/>A data summary of what has been stolen by MacStealer. The threat actors receive this on their personal Telegram bot. (Source: Uptycs)<\/p>\n<p>MacStealer being an unsigned DMG file is also a barrier for anyone, especially beginners, attempting to run the program on a modern mac,&nbsp;said Malwarebytes&#8217; Reed.&nbsp;&#8220;Its attempt at phishing for login passwords is not very convincing and would probably only fool a novice user. But such a user is exactly the type who would have trouble opening it.&#8221;<\/p>\n<hr \/>\n<p dir=\"ltr\">Malwarebytes removes all remnants of ransomware and&nbsp;prevents&nbsp;you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.<\/p>\n<p style=\"text-align: center;\"><span class=\"blue-cta-bttn\" style=\"background-color: #0d3ecc; line-height: 50px; padding: 0 20px;\"><a href=\"https:\/\/www.malwarebytes.com\/business\/contact-us\/\">TRY NOW<\/a><\/span><\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/new-macos-malware-yoinks-a-trove-of-sensitive-information-including-a-users-entire-keychain-database\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding=\"10\">\n<tr>\n<td valign=\"top\" align=\"left\">\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/apple\" rel=\"category tag\">Apple<\/a><\/p>\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/news\" rel=\"category tag\">News<\/a><\/p>\n<p>Tags: MacStealer<\/p>\n<p>Tags:  mac infostealer<\/p>\n<p>Tags:  information stealer<\/p>\n<p>Tags:  Apple<\/p>\n<p>Tags:  Thomas Reed<\/p>\n<p>Tags:  iCloud Keychain<\/p>\n<p>MacStealer could be an infamous stealer in the making, but right now, it needs improvement, according to Malwarebytes expert.<\/p>\n<table width=\"100%\">\n<tr>\n<td align=\"right\">\n<p><b>(<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/new-macos-malware-yoinks-a-trove-of-sensitive-information-including-a-users-entire-keychain-database\" title=\"New macOS malware steals sensitive info, including a user's entire Keychain database\">Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/new-macos-malware-yoinks-a-trove-of-sensitive-information-including-a-users-entire-keychain-database\">New macOS malware steals sensitive info, including a user&#8217;s entire Keychain database<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[2211,29018,21260,29017,29016,32,12942],"class_list":["post-21648","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-apple","tag-icloud-keychain","tag-information-stealer","tag-mac-infostealer","tag-macstealer","tag-news","tag-thomas-reed"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21648","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21648"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21648\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21648"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21648"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21648"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}