A new malware called MacStealer has been discovered, targeting Apple’s macOS operating system to siphon sensitive information from compromised devices.
The malware uses Telegram as a command-and-control platform to exfiltrate data and primarily affects devices running macOS versions Catalina and later running on M1 and M2 CPUs.
MacStealer can steal documents, cookies, and login information from the victim’s browser.
The malware is still a work in progress, and its authors plan to add features to capture data from Apple’s Safari browser and the Notes app. Currently, MacStealer is designed to extract iCloud Keychain data, passwords, and credit card information from browsers such as Google Chrome, Mozilla Firefox, and Brave.
It also supports harvesting Microsoft Office files, images, archives, and Python scripts.
The exact method used to deliver the malware is not known, but it is propagated as a DMG file (weed.dmg), which opens a fake password prompt to harvest the passwords under the guise of seeking access to the System Settings app.
MacStealer is just one of several info-stealers that have surfaced in recent months, including HookSpoofer, a new C#-based malware that transmits stolen data to a Telegram bot, and Ducktail, which also uses a Telegram bot to exfiltrate data.
These malware attacks highlight the importance of keeping operating systems and security software up to date and avoiding downloading files or clicking links from unknown sources.
As Macs have become more popular in enterprises, attackers are increasingly targeting them to access sensitive data stored on them.
