New malware steals Mac passwords and sends them via Telegram

The current version of MacStealer is based on a file named “weed.dmg”.

Dubbed MacStealer, a new malware has been found to infect Intel and Apple Silicon Mac computers and steal passwords, credit card information and other personal data.

Uptycs security researchers have discovered three Windows malware families that use the Telegram messaging service. The team has now found a version designed for Mac users.

The malware, known as MacStealer, can obtain documents, browser cookies, and login information from the target Mac. It also works on Macs running macOS Catalina or later running on Intel or Apple Silicon chips.

As part of the theft, the software takes credentials and cookies from Firefox, Google Chrome, and Brave browsers and extracts the Keychain database. It also attempts to protect various types of files including MP3s, text files, PDFs, PowerPoint files, photos, and databases.

While pulling a keychain may seem like a big danger to users, the attack involves taking over the entire keychain without access to the data inside it. The database is indeed intercepted and given to the attacker by Telegram, but it is still encrypted.

An attacker selling MacStealer access for $100 a build says the extracted keychain is “nearly impossible” to access without a master password. As part of the sale attempt, the actor says they “don’t want to make false promises” about access to this data and have not included it in the list of “upcoming” features.

Other items on the Upcoming Features list include a crypto wallet drain, a new build tool, a reverse shell, a custom loader, and a control panel.

Simultaneously with capturing files and data, MacStealer then uses Telegram to send selected information through specific channels. The separate ZIP compilation is then given to a Telegram bot controlled by the hacker.

How to protect yourself from MacStealer

It’s not clear exactly how the malware travels between Macs, but the initial infection was caused by an application called “weed.dmg”. As you might expect, it looks like an executable with a leaf as an icon.

When trying to open the file, a fake macOS password prompt appears, which the tool then uses to access other files on the system.

Fake macOS password prompt from MacStealer [left]genuine macOS password prompt [right]

Fake macOS password prompt from MacStealer [left]genuine macOS password prompt [right]

The password prompt used by the software is noticeably different from what macOS provides to users, so it should be easy enough for an experienced Mac user to spot something wrong. The big clue is that it doesn’t include the username field already populated.

Uptycs encourages users to keep their Mac systems up to date with patches and updates. It is also recommended that you only allow files to be installed from trusted sources such as the App Store.