This article discusses the malware stealer known as “Purrglar,” which was discovered by Kandji’s Threat Research team. This stealer targets Chrome and Exodus wallet files, utilizing macOS Security Framework APIs to access sensitive data, particularly the Keychain. Although still suspected to be in development, it exhibits functions for exfiltrating data without the user’s awareness. Researchers highlight its potential threat and provide an overview of its operation and implications for cybersecurity. Affected: macOS Users, Chrome Users, Exodus Wallet Users
Keypoints :
- The malware stealer “Purrglar” targets data from Chrome and Exodus wallets.
- Utilizes macOS Security Framework APIs to query the Keychain.
- Currently suspected to be in a development phase, indicating unknown final intentions.
- The stealer attempts to retrieve sensitive information without user awareness.
- The analysis covers the process of capturing and uploading sensitive files using Curl APIs.
- Several paths for sensitive files on the user’s system are queried for data extraction.
MITRE Techniques :
- Credential Dumping (T1003) – Uses Security Framework APIs to access the macOS Keychain and obtain saved Chrome credentials.
- Data Exfiltration Over Command and Control Channel (T1041) – Sends exfiltrated data to localhost using Curl APIs.
- Application Layer Protocol (T1071) – Uses HTTP protocol to upload data to a specified local URL.
- Discovery (T1018) – Executes system commands to retrieve hardware information using NSTask and system_profiler.
Indicator of Compromise :
- [SHA256] 33f0387ea327203ce9c38289d14cf26c14fe24862440b525a9de320111c7a0c3
- [URL] http://localhost:8000/api/%@/%ld
- [File Path] ~/Library/Application Support/Google/Chrome/Default/Cookies
- [File Path] ~/Library/Application Support/Google/Chrome/Default/Login Data
- [File Path] ~/Library/Application Support/Exodus/exodus.wallet/passphrase.json
Full Story: https://blog.kandji.io/kitty-stealer