MENU

Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
ANTI-CYBERCRIME GROUP
Camp BGen Rafael T Crame, Quezon City
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

ACG-CYBER SECURITY BULLETIN NR 290: New MacStealer macOS Malware Steals iCloud Keychain Data and Passwords

Reference Number ACG-CSB 022323290

        The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

 

Researchers discovered a new MacOS info-stealer that extracts documents, cookies, and login data from infected devices. An information-stealing malware that targets Apple's macOS operating system is making the cyberrounds, siphoning off documents, iCloud keychain data-like passwords, browser cookies, and more from unwitting Apple users.

In its current form, MacStealer is designed to extract iCloud Keychain data, passwords and credit card information from browsers like Google Chrome, Mozilla Firefox, and Brave. It also features support for harvesting Microsoft Office files, images, archives, and Python scripts.

First advertised on online hacking forums for $100 at the start of the month, it is still a work in progress, with the malware authors planning to add features to capture data from Apple's Safari browser and the Notes app.

While most MaaS operations target Windows users, macOS isn't immune to such threats, so its users should remain vigilant and avoid downloading files from untrustworthy websites. The malware affects the Catalina version of macOS and subsequent versions that use Intel M1 and M2 CPUs. It also uses the encrypted Telegram messaging platform for command-and-control (C2), the researchers found.

This malware isn’t digitally signed, so will be blocked by Gatekeeper on most Macs and it appears to have been distributed via an app called Weed, with a marijuana icon. Users would need to manually install and run the app, and then enter the Mac password to grant it access to System Settings for it to work.

The exact method used to deliver the malware is not known, but it is propagated as a DMG file (weed.dmg) that, when executed, opens a fake password prompt to harvest the passwords under the guise of seeking access to the System Settings app.

MacStealer is one of several info-stealers that have surfaced just over the past few months and adds to an already large number of similar tools currently in the wild.

This also includes another piece of new C#-based malware called HookSpoofer that's inspired by StormKitty and comes with keylogging and clipper abilities and transmits the stolen data to a Telegram bot.

Another browser cookie-stealing malware of note is Ducktail, which also uses a Telegram bot to exfiltrate data and re-emerged in mid-February 2023 with improved tactics to sidestep detection.

Stealer malware is typically spread through different channels, including email attachments, bogus software downloads, and other social engineering techniques.

To mitigate such threats, it's recommended that users keep their operating system and security software up to date and avoid downloading files or clicking links from unknown sources.

RECOMMENDATION

The public are advised to follow these tips in order to avoid MacStealer macOS malware:

  • Only permit the installation of files from trusted sources that allow ‘App Store’ or ‘App store and identified developers.’
  • Never download files from fishy websites.
  • Keep your OS and security software up to date. Never miss a patch!
  • Don`t click links that come from unknown sources.
  • Don`t download files from unexpected, suspicious emails. You could be the victim of a phishing attack.

For additional information, please refer to the following websites:

  • https://malwaretips.com/blogs/remove-macaw-ransomware/
  • https://www.bleepingcomputer.com/news/security/new-macstealer-macos-malware-steals-passwords-from-icloud-keychain/
  • https://heimdalsecurity.com/blog/macstealer-macos-malware-steals-passwords-icloud/
  • https://www.darkreading.com/attacks-breaches/macstealer-malware-plucks-bushels-data-apple-users
  • https://9to5mac.com/2023/03/28/macstealer-malware/
  • https://www.uptycs.com/blog/macstealer-command-and-control-c2-malware
  • https://socprime.com/blog/macstealer-macos-malware-detection-novel-malicious-strain-steals-user-credentials-from-icloud-keychain/

POINT OF CONTACT

            Please contact PMAJ JUN-JUN S DAGURO Police Community Relations Officer thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 723-0401 local 7483 for any inquiries related to this CYBER SECURITY BULLETIN.