New malware steals Mac passwords & sends them with Telegram

Posted:
in macOS
A new malware, dubbed MacStealer, has been found infecting Intel and Apple Silicon Macs, and is stealing passwords, credit card info, and other personal data.

The current iteration of MacStealer stems from a file called
The current iteration of MacStealer stems from a file called "weed.dmg"


A trio of Windows-based malware families has been uncovered by security researchers Uptycs that take advantage of messaging service Telegram. Now, the team has found a version specific to Mac users.

Referred to as MacStealer, the malware has the ability to take documents, browser cookies, and login information from a target Mac. It also specifically works on Macs running macOS Catalina or later, running on Intel or Apple Silicon chips.

As part of the theft, the software takes credentials and cookies from Firefox, Google Chrome, and Brave browsers, and also extracts the Keychain database. It also attempts to secure a variety of file types, including MP3s, text files, PDFs, PowerPoint files, photographs, and databases.

While pulling Keychain may seem like a big danger to users, the attack involves taking the Keychain wholesale, without accessing the data within it. The database does get taken and transmitted to the attacker by Telegram, but it's still encrypted.

The threat actor selling access to MacStealer for $100 per build says that the extracted Keychain is "almost impossible" to access without the master password. As part of the attempted sale, the actor says they don't "wanna make fake promises" for access to that data, and haven't included it in a list of "upcoming" features.

Other items in the "Upcoming features" list include the draining of cryptowallets, a tool to generate new builds, a reverse shell, a custom uploader, and a control panel.

At the same time as grabbing the files and data, MacStealer then uses Telegram to send over select information to specific channels. A separate ZIP compilation is then shared to a Telegram bot controlled by the hacker.

How to protect yourself from MacStealer

It is unclear exactly how the malware moves between Macs, but initial infections have been caused by an app called "weed.dmg." As you would expect, it looks like an executable with a leaf as an icon.

Attempting to open the file raises a fake macOS password prompt, which the tool then uses to access other files on the system.

MacStealer's fake macOS password prompt [left], a genuine macOS password prompt [right]
MacStealer's fake macOS password prompt [left], a genuine macOS password prompt [right]


The password prompt used by the software is distinctly different from what macOS provides users, so it should be reasonably easy for an experienced Mac user to spot something wrong. A big clue is that it doesn't include an already-populated username field.

Uptycs recommends that users keep their Mac systems up to date with patches and updates. Also, it is suggested to only permit the installation of files from trusted sources, such as the App Store.

Read on AppleInsider

Comments

  • Reply 1 of 13
    AppleZuluAppleZulu Posts: 1,661member
    It strains credulity to think someone would click on a "weed.dmg" app, voluntarily enter their system login info and expect things to go well from there.
    lkruppappleinsideruserzeus423williamlondonAlex_Vtokyojimuchiawatto_cobra
  • Reply 2 of 13
    I can see colors man...
    fred1watto_cobra
  • Reply 3 of 13
    lkrupplkrupp Posts: 10,557member
    AppleZulu said:
    It strains credulity to think someone would click on a "weed.dmg" app, voluntarily enter their system login info and expect things to go well from there.
    "Stupid is as stupid does" and the ever resilient "You can't fix stupid" apply here. Potheads will click on anything to get high.
    JP234zeus423watto_cobra
  • Reply 4 of 13
    While using my Safari browser a few months ago, a popup prompted me to enter an administrators name and password.  No mention of who or why they were asking.  Turned out to be for my ISP's distributed hot spots.
    But seriously, what the hell were they thinking?
    edited March 27 JP234zeus423watto_cobra
  • Reply 5 of 13
    JP234JP234 Posts: 1,416member
    While using my Safari browser a few months ago, a popup prompted me to enter an administrators name and password.  No mention of who or why they asking.  Turned out to be for my ISP's distributed hot spots.
    But seriously, what the hell were they thinking?
    I know what I'm thinking: who is your ISP?
    ronnchiawatto_cobra
  • Reply 6 of 13
    Like wow, man. Weed.
    Alex_Vwatto_cobra
  • Reply 7 of 13
    sflocalsflocal Posts: 6,048member
    There needs to be some next-level punishment for people that do things like these.  Yes, it's a white-color crime but serious prison time should be an option.  
    ronnwilliamlondonjas99chasmwatto_cobra
  • Reply 8 of 13
    JP234 said:
    While using my Safari browser a few months ago, a popup prompted me to enter an administrators name and password.  No mention of who or why they asking.  Turned out to be for my ISP's distributed hot spots.
    But seriously, what the hell were they thinking?
    I know what I'm thinking: who is your ISP?
    Not naming names, but if you drop down your list of WiFi networks, they're probably right at the bottom of the list.  Depending on where you are.
    JP234watto_cobra
  • Reply 9 of 13
    JP234JP234 Posts: 1,416member
    JP234 said:
    While using my Safari browser a few months ago, a popup prompted me to enter an administrators name and password.  No mention of who or why they asking.  Turned out to be for my ISP's distributed hot spots.
    But seriously, what the hell were they thinking?
    I know what I'm thinking: who is your ISP?
    Not naming names, but if you drop down your list of WiFi networks, they're probably right at the bottom of the list.  Depending on where you are.
    I don't even have to look. Used them before they went from 3rd to 3rd from last in the alphabet.
    baconstangwatto_cobra
  • Reply 10 of 13
    JP234 said:
    JP234 said:
    While using my Safari browser a few months ago, a popup prompted me to enter an administrators name and password.  No mention of who or why they asking.  Turned out to be for my ISP's distributed hot spots.
    But seriously, what the hell were they thinking?
    I know what I'm thinking: who is your ISP?
    Not naming names, but if you drop down your list of WiFi networks, they're probably right at the bottom of the list.  Depending on where you are.
    I don't even have to look. Used them before they went from 3rd to 3rd from last in the alphabet.
    To be fair, the service has been very good.  Also, for some reason, no other ISP will provide service on my block.  A block over there's fiber, but not here.  Weird.
    JP234
  • Reply 11 of 13
    While using my Safari browser a few months ago, a popup prompted me to enter an administrators name and password.  No mention of who or why they were asking. 
    A bit like when you use sign on with Apple. Browser asks for your Mac credentials! How easy would it be to fake that to harvest local usernames and passwords. 

    I always cancel that and sign in with the website’s credentials saved in keychain. Seems much safer. 
    🔥🚨
    williamlondonbaconstangwatto_cobra
  • Reply 12 of 13
    longpathlongpath Posts: 388member
    I cannot see anywhere in the article, whether or not the app has its own Telegram functionality, built-in, or if the victim has to have Telegram already installed. All I saw was that it uses Telegram to transmit the data. I would like to see a clarification on that point, if possible. 
    chiawatto_cobra
  • Reply 13 of 13
    JP234JP234 Posts: 1,416member
    How to protect yourself from MacStealer:
    1) Don't download something called "weed.dmg."
    2) Don't download "Telegram."
    3) Use Time Machine BEFORE you download ANYTHING (including OS updates). Every. Time.
    4) Don't let anyone else use your computer with adult or admin privileges. Log out, and switch users to a "guest" account that has no download privileges, before you let someone use it. 

    Clear enough?
    chasmmuthuk_vanalingambaconstangwatto_cobrabadmonk
Sign In or Register to comment.