A new information-stealing malware has set its sights on Apple’s macOS operating system to siphon sensitive information from compromised devices. Dubbed MacStealer, it’s the latest example of an infostealer that uses Telegram as a command and control (C2) platform to exfiltrate data. This threat targets devices running macOS versions Catalina and later which are running on M1 and M2 CPUs. MacStealer is designed to extract iCloud Keychain data, passwords and credit card information from browsers like Google Chrome, Mozilla Firefox, and Brave. It also features support for harvesting Microsoft Office files, images, archives, and Python scripts. The malware authors have indicated plans to soon add additional functionality to steal data directly from the Safari browser and Notes applications.
The malicious binary is propagated as a DMG file, observed in the wild as weed.dmg. The binary opens a fake password prompt when executed, leading the user to input their local administrator password via a fake attempt to alter System Settings. The initial attack vectors currently being utilized by active campaigns deploying MacStealer are unknown as of time of writing. However, infostealer malware is typically spread through email attachments, trojanized or cracked software, social media lures, and other social engineering techniques. The DMG is not digitally signed; it is highly recommended that organizations exercise tight controls over allowed applications on secure devices. This can be accomplished by creating an allow list of business use applications and denying unsigned applications or any other applications not on the allow list and not executing from the appropriate installation directory. This approach would also serve as a partial security control against DLL sideloading and other similar attacks. Binary Defense’s XDR and Managed Threat Hunting Services are an excellent solution to assist in developing custom detections and other methodologies to create a defense in depth strategy that would address threats such as MacStealer.