įigure 11: Sending basic information to the Telegram public channel Simultaneously, the MacStealer transmits selected information to the listed Telegram channels. It deletes the data and ZIP file from the victim’s system during a subsequent mop-up operation.įigure 8: Stealer collecting data The stealer then ZIPs up the data and sends it to C2 via a POST request using a Python User-Agent request (figures 8 and 9). It stores it in the following system directory.
Once the user enters their login credentials, the stealer gathers data as described in the MacStealer's features section. Osascript -e display dialog "MacOS wants to access the System Preferences," with title "System Preferences" with icon caution default answer "" with hidden answer After a user executes the file, it opens a fake password prompt to gather passwords using the following command line. The Mach-O file is compiled from Python code (figures 5 and 6). Shown in figure 4, the Mach-O file is not digitally signed. Extract Ke圜hain database (base64 encoded)įigure 2: Threat actor selling MacStealer for $100/build Malware Operationįigure 3 shows the MacStealer operational behavior.įigure 3: MacStealer malware operation Technical Analysis.Collect the passwords, cookies, and credit card data from Firefox, Google Chrome, and Brave browsers.The stealer exhibits the following capabilities: It affects Catalina and subsequent macOS versions riding on Intel M1 and M2 CPUs.įigure 1:Threat actor advertisement on the dark web MacStealer Features The stealer can extract documents, cookies from a victim's browser, and login information.
The threat actor who is distributing MacStealer was discovered by the Uptycs threat intelligence team during our dark web hunting. Attackers are increasingly turning to it, particularly for stealer command and control (C2).Īnd now the Uptycs threat research team has discovered a macOS stealer that also controls its operations over Telegram. Uptycs has already identified three Windows-based malware families that use Telegram this year, including Titan Stealer, Parallax RAT, and HookSpoofer. Research by Shilpesh Trivedi and Pratik Jeware
0 kommentar(er)
