MacStealer: Mac malware wants to steal passwords and crypto wallets

Malware offered cheaply on the Dark Web is intended to extract sensitive data from Macs and transmit it to attackers via the messenger Telegram.

Security researchers have come across a new piece of malware designed to steal data from Macs on a larger scale. Dubbed the “MacStealer,” the tool is offered as a service on Dark Web hacking forums and can extract a range of sensitive data from a compromised Mac, including passwords and credit card information stored in the central keychain and in browsers such as Chrome. The malware also seems to be particularly interested in crypto wallets, and the malware also wants to access a long list of document types.

The attacker should then receive a message in a channel of the messenger Telegram, along with a link to the ZIP archive with the extracted data. Several Windows malware samples have already been found this year that use Telegram as a control center, notes Uptycs, this is now the first Mac variant.

Mac malware is priced at $100 each

According to security researchers, MacStealer is offered as a ready-made disk image on the forums for only $100 and is said to work on all recent macOS versions up to macOS 13 Ventura – as well as on Intel and newer ARM Macs. The “MacOS Stealer” is still a beta, the provider warns in screenshots documented by Uptycs, further customization options will follow later. One of the programmers got infected with Covid and another “scammer” is trying to sell the stealer for a lot of money – that’s why the tool is offered for little money.

The malware is distributed unsigned, so it must first be signed and distributed before it can actually attack Mac users. In addition, users have to run the malware themselves and fall for a dialog that supposedly asks for the login password to access the system settings. According to the screenshots, the program is called “Weed”.

All alarm bells should be ringing with such dialogs for entering a password. (Image: Uptycs)

Safari keychain stealing is not yet supported

According to the provider, the malware is able to use the password to access the login keychain and access data from other browsers, but not Safari’s password database, i.e. the iCloud keychain. But they are working on it, according to the provider of the malware. According to Uptycs, there are numerous orders for the malware, so it can be expected that it will soon spread further. According to security researchers, users should update their Mac software and only install software from trusted sources.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s