New MacStealer malware steals iCloud Keychain data and passwords — how to stay safe
Published March 27, 2023
This info-stealing malware is still a work in progress but it’s already quite dangerous.
Macs are currently under attack from a new info-stealing malware capable of exfiltrating sensitive data stored in iCloud Keychain including passwords for your online attacks.
As reported by The Hacker News(opens in new tab), this new Mac malware has been dubbed MacStealer by researchers at the cybersecurity firm Uptycs who came across it while hunting for threats on the dark web.
While many of the best MacBooks are vulnerable, Uptycs notes in its report on the matter(opens in new tab) that Apple computers running macOS Catalina and later equipped with M1 and M2 chips are the most affected.
The MacStealer malware is still a work in progress but its creators have indicated on a hacking forum where they’ve been advertising it that they do want to add new features to the malware including the ability to capture data from Apple’s Safari browser as well as its Notes app.
Extracting sensitive data from infected Macs
At the moment, MacStealer is designed to extract iCloud Keychain data, passwords and credit card information from a variety of browsers including Google Chrome, Mozilla Firefox and Brave. However, the malware can also harvest Microsoft Office files, images, archives and Python scripts from infected Macs.
Surprisingly, it’s still unknown how the cybercriminals distributing this malware are getting it onto vulnerable Macs. Still, we do know that it arrives as a DMG file (weed.dmg) and could be sent to unsuspecting users via phishing emails or spread on fake websites.
When launched, the MacStealer malware opens a fake password prompt for users trying to gain access to the System Settings app. Instead of granting access to the app, the malware harvests their credentials.
Just like other recent Windows malware families, MacStealer uses the encrypted messaging app Telegram as a means to send stolen data back to a command and control (C&C) server operated by the hackers distributing this malware.
How to protect your Mac from malware
Although Macs were once thought to be safe from malware, those days have come and gone. As Apple’s computers have become more popular, they’ve become sought after by hackers and while still rare compared to Windows malware, malware targeting macOS has become much more prevalent.
For this reason, you want to make sure that your Mac is up to date and running the latest software. If you need help with this, check out our guide on how to update a Mac. While Apple’s Gatekeeper prevents malware from being launched and its Xprotect can help deal with a malware infection after the fact, you may still want some extra protection for your Apple computers. In this case, you might want to consider installing one of the best Mac antivirus software programs to run alongside Gatekeeper and Xprotect.
Since we don’t know exactly how MacStealer is being distributed at the moment, we all need to remain extra vigilant. As such, you want to avoid opening emails from unknown senders and downloading any attachments they may contain. Likewise, you shouldn’t click on any links without inspecting them first to see where they will take you.
As MacStealer is still in its early days, we’ll likely hear more about this new Mac malware, especially as its creators add new capabilities like stealing passwords and data from Safari and Apple’s Notes app.