Cyber Security News

MacStealer – New macOS-Based Malware Steals Passwords, Cookies & Credit Cards From Browser

Uptycs threat research team recently discovered “MacStealer,” a new information-stealing malware designed to target Apple’s macOS operating system. It aims to steal various sensitive information, including credentials stored in the:- 

  • iCloud KeyChain
  • Web browsers
  • Cryptocurrency wallets
  • Potentially sensitive files

MacStealer is a malware-as-a-service (MaaS) distributed for $100, including premade builds enabling purchasers to spread the malware via Telegram as a command-and-control (C2) platform, making it a significant threat for exfiltrating data.

Specifically, this bug affects macOS versions Catalina and later runs on CPUs with M1 and M2 cores, which are the latest lineups from Apple.

In short, the latest macOS malware, capable of running on versions from macOS Catalina (10.15) to the latest Ventura (13.2), is reportedly being updated by malware authors to incorporate data capture functionalities from Apple’s Safari browser and Notes app, making it a significant threat to Apple users.

Capabilities of MacStealer

Discovered by Uptycs analysts on a dark web hacking forum at the beginning of the month, MacStealer is being promoted by the developer for a low price of $100. With this low price tag, they justify its affordability due to the lack of a builder and panel while promising the addition of advanced features in the future.

From compromised systems, MacStealer is capable of stealing the following information:-

  • Account passwords from Firefox, Chrome, and Brave
  • Cookies from Firefox, Chrome, and Brave.
  • Credit card details from Firefox, Chrome, and Brave
  • TXT files
  • DOC files
  • DOCX files
  • PDF files
  • XLS files
  • XLSX files
  • PPT files
  • PPTX files
  • JPG files
  • PNG files
  • CSV files
  • BMP files
  • MP3 files
  • ZIP files
  • RAR files
  • PY files
  • DB files
  • Extract the Keychain database in base64 encoded form
  • Collect System information
  • Collect Keychain password information
  • Coinomi cryptocurrency wallet data
  • Exodus cryptocurrency wallet data
  • MetaMask cryptocurrency wallet data
  • Phantom cryptocurrency wallet data
  • Tron cryptocurrency wallet data
  • Martian Wallet cryptocurrency wallet data
  • Trust wallet cryptocurrency wallet data
  • Keplr Wallet cryptocurrency wallet data
  • Binance cryptocurrency wallet data

Technical Analysis

MacStealer, one of several recent info-stealers, is spread via a DMG file named “weed.dmg” and tricks macOS users into entering their passwords by posing as a fake prompt for accessing the System Settings app, further contributing to the already significant number of similar tools in circulation with the exact method of delivery remaining unknown.

After collecting the mentioned data, MacStealer compresses the information into a ZIP file and sends it to remote command and control servers for retrieval by the threat actor while simultaneously alerting the operator of new data via a pre-configured Telegram channel, providing a quick and convenient way to download the ZIP file.


Here below, we have mentioned all the recommendations offered by the security researchers:-

  • It is imperative that users remain vigilant and do not download files from untrusted websites.
  • As a security precaution, it is recommended that users keep their operating systems and security software up to date.
  • Do not use any used or basic passwords.
  • Make sure to enable two-factor authentication.
  • If you come across a link that appears to come from an unknown source, do not click it.

Building Your Malware Defense Strategy – Download Free E-Book

Related Read:

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

25 Best Managed Security Service Providers in 2024

A Managed Security Service Provider (MSSP) offers a wide range of services, from network security…

15 hours ago

New Satanstealer Malware Steals Browser Cookies and Passwords

A new malware named "Satanstealer" has been identified, targeting browser cookies and passwords. The discovery…

16 hours ago

Microsoft Unveils Ways To Detect Compromised Devices In Your Organization

Microsoft has announced a new way to spot potentially hacked machines in your organization.  Analysts…

16 hours ago

New ScriptBlock Smuggling Attack Let Ackers Bypass PowerShell Security Logs And AMSI

Ever since the introduction of PowerShell v5, there have been less usage of the application…

16 hours ago

Hackers Leveraging New Social Engineering To Run PowerShell And Install Malware

Hackers use social engineering as it focuses on the psychological rather than technological aspects of…

19 hours ago

Hackers Attacking Hotel Owners & Employees as Potential Guests

Since last summer, hotel owners and employees have grappled with a surge in malicious e-mails…

19 hours ago