Friday, April 28, 2023

MacStealer Malware

Jovi Umawing (Hacker News, MacRumors):

Users are manipulated to download and execute this file onto their systems. Once achieved, a bogus password prompts users in an attempt to steal their real password. MacStealer then saves the password in the affected system’s temporary folder (TMP).

The malware then proceeds to collect and save the following also within the TMP folder:

  • Account passwords, browser cookies, and stored credit card details in Firefox, Chrome, and Brave
  • Cryptocurrency wallets (Binance, Coinomi, Exodus, Keplr Wallet, Martian Wallet, MetaMask, Phantom, Tron, Trust Wallet)
  • Keychain database in its encoded (base64)form
  • Keychain password in text format


MacStealer being an unsigned DMG file is also a barrier for anyone, especially beginners, attempting to run the program on a modern mac, said Malwarebytes’ Reed. “Its attempt at phishing for login passwords is not very convincing and would probably only fool a novice user. But such a user is exactly the type who would have trouble opening it.”

I wonder whether this last point means to say that the app is unsigned or unnotarized. An unsigned disk image is not more difficult to open. It just means that the app will run under translocation, which doesn’t seem like it would provide any protection in this case.

I’m surprised we haven’t heard about more malware like this.


Comments RSS · Twitter · Mastodon

Leave a Comment