Infostealers without borders: macOS, Python stealers, and platform abuse

MITRE Techniques

• [T1059 ] Command and Scripting Interpreter – Used for execution of various commands and scripts via PowerShell, osascript, and sh; quote: ‘Execution of various commands and scripts via osascript and sh’
• [T1547 ] Boot or Logon Autostart Execution – Persistent mechanisms observed via Registry Run keys and macOS LaunchAgent/LaunchDaemon; quote: ‘Registry Run key created’ / ‘LaunchAgent or LaunchDaemon for recurring execution’
• [T1053 ] Scheduled Task/Job – Adversaries create scheduled tasks for recurring execution and persistence; quote: ‘Scheduled task created for recurring execution’
• [T1574 ] Hijack Execution Flow (DLL sideloading) – Unauthorized code execution facilitated by DLL sideloading to load malicious components; quote: ‘Unauthorized code execution facilitated by DLL sideloading and process injection’
• [T1055 ] Process Injection – Processes were injected with potentially malicious code to evade detection and run stealers; quote: ‘A process was injected with potentially malicious code’
• [T1027 ] Obfuscated Files or Information – Attackers use obfuscated Python scripts and encoded payloads to hide malicious behavior; quote: ‘obfuscated Python scripts’
• [T1218 ] Signed Binary Proxy Execution (LOLBIN abuse) – Use of legitimate, signed binaries and living-off-the-land utilities (e.g., certutil, AutoIt) to decode or execute payloads; quote: ‘the use of signed and living off the land binaries’ / ‘Decode payload with certutil’
• [T1140 ] Deobfuscate/Decode Files or Information – Tools like certutil are used to decode payloads delivered by attackers; quote: ‘Decode payload with certutil’
• [T1560 ] Archive Collected Data – Sensitive browser information and other harvested data compressed into ZIP files for staging and exfiltration; quote: ‘Sensitive browser information compressed into ZIP file for exfiltration’
• [T1082 ] System Information Discovery – System and environment information queried using WMI and Python to profile victims; quote: ‘System information queried using WMI and Python’
• [T1555 ] Credentials from Password Stores – Theft of passwords and other sensitive web browser information, keychain, and developer secrets; quote: ‘Possible theft of passwords and other sensitive web browser information’
• [T1071 ] Application Layer Protocol (C2) – Use of web protocols and services (including Telegram and web POST to C2 APIs) for command-and-control and exfiltration; quote: ‘exfiltrated the data via Telegram’ / ‘Communication to command and control server’
• [T1036 ] Masquerading – Renamed Python interpreter masquerading as a system process (svchost.exe) to hide malicious execution; quote: ‘Python interpreter masquerading as a system process (i.e., svchost.exe)’