MacOS threat actors are increasingly focusing on data theft rather than ransom, exfiltrating session cookies, keychains, SSH keys, and other sensitive data to monetize or enable espionage. The article outlines where these data assets reside, how attackers access them, and real-world examples like the CircleCI breach to help defenders hunt for signs of compromise. #CircleCI #DazzleSpy #KeySteal #PurelandInfoStealer #CloudMensis #EggShellRAT #OSXZuru #XLoader #Poseidon #SessionCookies #Keychain #SSHKeys
Keypoints
- MacOS data theft focus: Threats target session cookies, keychains, SSH keys, browser data, pasteboard contents, and environment data for monetization or espionage.
- Session cookies exploited for impersonation: Attackers steal cookies to log in on other devices and impersonate users, as seen in CircleCI’s case.
- Keychain access weaknesses: Keychains can be unlocked if the attacker knows the user password, and malware targets keychain files and unlocks via APIs.
- Credential harvesting variety: SSH keys, browser passwords, and passwords stored in apps are commonly stolen or exfiltrated.
- Privilege escalation and user prompts: LaunchDaemons and privilege escalation dialogs are used to bypass protections and obtain elevated access.
- Environment-focused delivery: Malicious payloads may tailor delivery to specific OS versions or device environments to avoid detection.
- Defense emphasis: Regular endpoint protection, threat hunting for sensitive data paths, and up-to-date macOS protections are essential.
MITRE Techniques
- [T1539] Steal Web Session Cookie – The article discusses stealing session cookies to impersonate users across devices and login contexts. ‘The theft of session cookies from a Mac computer was implicated in the recent CircleCI breach. … to steal a valid, 2FA-backed SSO session. This machine was compromised on December 16, 2022. The malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location …’
- [T1555.003] Credentials in Keychains – The keychain is targeted and encrypted; ‘The keychain is then base64-encoded and encrypted by means of an open-source Chinese crypto library called JKEncrypt’
- [T1552.001] Credentials in Files – SSH Keys – ‘The script copied and exfiltrated a number of items, among which were any SSH keys located on the victims’ device.’
- [T1115] Clipboard Data – The pasteboard stores and manipulates data; ‘The pasteboard … stores text, images and other data in memory when the user executes the copy function’
- [T1543.003] Create/Modify Launch Daemons – Privilege escalation via launch controls; ‘CloudMensis/BadRAT achieves privilege escalation by requesting permissions from the user on install (source: VirusTotal)’
- [T1056] Input Capture – Password theft and credential access via user interactions; ‘Password theft can be accomplished in a number of ways: through spoofing, through keylogging or simply by asking for authorization for some trivial task…’
- [T1082] System Information Discovery – Environmental data collection and fingerprinting; ‘DazzleSpy surveils its host environment in great detail’
Indicators of Compromise
- [Hash] CloudMensis/BadRAT – d7bf702f56ca53140f4f03b590e9afcbc83809db, 0aa94d8df1840d734f25426926e529588502bc08, and 1 more hash
- [Hash] DazzleSpy – ee0678e58868ebd6603cc2e06a134680d2012c1b
- [Hash] EggShell RAT – 556a2174398890e3d628aec0163a42a7b7fb8ffd
- [Hash] KeySteal – 26622e050d5ce4d68445b0cdc2cb23f9e27318ba, 3951a7bd03e827caf7a0be90fdfc245e6b1e9f8a
- [Hash] Poseidon – cb8be6d2cefe46f3173cb6b9600fb40edb5c5248, c91b0b85a4e1d3409f7bc5195634b88883367cad
- [Hash] Pureland InfoStealer – 0b5153510529e21df075c75ad3dbfe7340ef1f70, 1eec28e16be609b5c678c8bb2d4b09b39aa35c05
- [Hash] XLoader – 7edead477048b47d2ac3abdc4baef12579c3c348, 958147ab54ee433ac57809b0e8fd94f811d523ba
- [Hash] OSX.Zuru – 20acde856a043194595ed88ef7ae0b79191394f9