New MacStealer Targets Catalina, Newer MacOS Versions

A new information-stealing malware (infostealer) has been observed targeting Catalina and newer versions of macOS running on Intel M1 and M2 CPUs. Security researcher Shilpesh Trivedi from Uptycs discussed the findings in an advisory published on Friday.

“The Uptycs threat research team has discovered a macOS stealer that [...] controls its operations over Telegram,” Trivedi wrote. “We’ve dubbed it MacStealer.”

The infostealer was discovered during one of the company’s dark web hunting operations. The malware can extract information from documents, browser cookies (Firefox, Google Chrome and Brave) and login information.

Read more on cookies here: France Fines Microsoft $64m for Imposing Ad Cookies to its Bing Users

“The bad actor uses a .DMG file to spread the malware. After a user executes the file, it opens a fake password prompt to gather passwords,” Trivedi explained.

The stealer was then observed creating ZIP archives of the stolen data and sending it to its command and control (C2) infrastructure via a POST request using a Python user-agent command. It concludes its attack chain by deleting the data and ZIP file from the victim’s system.

“Simultaneously, the MacStealer transmits selected information to the listed Telegram channels,” Trivedi said. “Once it has sent the compiled ZIP file to the C2, the latter shares the file with a threat actor’s personal Telegram bot.”

Looking at the VirusTotal graph for MacStealer, the Uptycs team spotted several different malware samples. The threat actor between the infostealer also seemed to be actively working on updating it with new features, including cryptocurrency theft, reverse shell and more.

“We found the distributor has a mass production order for MacStealer from other threat actors, thus, the malware is likely to be spread more widely,” Trivedi warned.

To guard against this threat, the security researchers recommended users keep their Mac systems up-to-date and allow only file installation from trusted sources permitted by the “Allow applications downloaded from App Store/App Store and identified developers” setting.

The MacStealer discovery comes weeks after Trellix security researchers discovered a new privilege escalation bug class on both macOS and iOS.

Editorial image credit: Tada Images /

What’s Hot on Infosecurity Magazine?