Threat Research

MacStealer: New MacOS-based Stealer Malware Identified

Securonix

MacStealer is a macOS stealer distributed via DMG that is controlled over Telegram, marking a new platform for stealer operations. It exfiltrates browser credentials, Keychain data, and files, sending stolen data via HTTP POST to a C2 and to Telegram channels/bots using an unsigned Mach-O Python-based binary.

Keypoints

  • MacStealer is a macOS-focused stealer affecting Catalina and newer on Intel M1/M2 CPUs.
  • The malware can extract passwords, cookies, and credit card data from Firefox, Chrome, and Brave, plus a wide range of file types and the macOS Keychain database (base64 encoded).
  • infection starts with a .DMG distribution that prompts the user with a fake password dialog to harvest credentials.
  • Data is collected, archived (ZIP), and exfiltrated to a C2 via a POST request, and also transmitted to Telegram channels and a private bot.
  • The binary is an unsigned Mach-O compiled from Python code, with dependencies shown in the analysis.
  • The malware is advertised on dark web forums and appears to be mass-produced for broader distribution.

MITRE Techniques

  • [T1059.006] Python – The Mach-O file is compiled from Python code – “The Mach-O file is compiled from Python code (figures 5 and 6).”
  • [T1071.001] Web Protocols – C2 communications via Telegram channels and HTTP POSTs – “Simultaneously, the stealer transmits selected information to the listed Telegram channels.”
  • [T1560.001] Archive Collected Data – Data is zipped before exfiltration – “The stealer then ZIPs up the data and sends it to C2 via a POST request…”
  • [T1041] Exfiltration Over C2 Channel – Data exfiltrates to C2 and Telegram channels – “sending a POST request” and “Transmits selected information to Telegram channels”
  • [T1132] Data Encoding – KeyChain data is base64 encoded – “Extract KeyChain database (base64 encoded)”
  • [T1036] Masquerading – Fake password prompt to deceive the user – “fake password prompt”
  • [T1070.004] Indicator Removal on Host – Deletes data and ZIP after exfiltration – “It deletes the data and ZIP file from the victim’s system during a subsequent mop-up operation.”

Indicators of Compromise

  • [File] context – weed.dmg – distribution file used to spread MacStealer
  • [SHA256] context – e51416f12f8c60e7593bef8b9fc55e04990aa047ad7e8abc22b511e7eb7586f6, 1b5ef101ac0b3c0c98874546ec4277e6a926c36733ab824cece9212373559818
  • [Mach-O] context – 6a4f8b65a568a779801b72bce215036bea298e2c08ec54906bb3ebbe5c16c712
  • [C2 URL] context – hxxp[:]//mac[.]cracked23[.]site/uploadLog
  • [C2 domain] context – mac[.]cracked23[.]site
  • [C2 IP] context – 89[.]116[.]236[.]26
  • [Telegram] context – hxxps[:]//t[.]me/macos_stealer_2023, hxxps[:]//t[.]me/macos_logsbot
  • [Domain/URLs] context – mac[.]cracked23[.]site (same domain referenced across samples)

Read more: https://www.uptycs.com/blog/macstealer-command-and-control-c2-malware