Threat Research Report Team

MacStealer: New MacOS-based Stealer Malware Identified

Written by Shilpesh Trivedi | Mar 24, 2023 7:33:45 PM

Research by Shilpesh Trivedi and Pratik Jeware

 

Uptycs has already identified three Windows-based malware families that use Telegram this year, including Titan Stealer, Parallax RAT, and HookSpoofer. Attackers are increasingly turning to it, particularly for stealer command and control (C2).

 

And now the Uptycs threat research team has discovered a macOS stealer that also controls its operations over Telegram. We’ve dubbed it MacStealer.

 

The threat actor who is distributing this stealer was discovered by the Uptycs threat intelligence team during our dark web hunting. The stealer can extract documents, cookies from a victim's browser, and login information. It affects Catalina and subsequent macOS versions riding on Intel M1 and M2 CPUs.

Figure 1: Threat actor advertisement on the dark web

 

MacStealer Features

The stealer exhibits the following capabilities:

  • Collect the passwords, cookies, and credit card data from Firefox, Google Chrome, and Brave browsers
  • Extract files (".txt", ".doc", ".docx", ".pdf", ".xls", ".xlsx", ".ppt", ".pptx", ".jpg", ".png", ".csv", ".bmp", ".mp3", ".zip", ".rar", ".py", ".db")
  • Extract KeyChain database (base64 encoded)

Figure 2: Threat actor selling MacStealer for $100/build

Malware Operation

Figure 3 shows the the stealer's operational behavior.

Figure 3: Malware operation [click to enlarge]

 

Technical Analysis

Shown in figure 4, the Mach-O file is not digitally signed.

Figure 4: Unsigned Mach-O file

 

The Mach-O file is compiled from Python code (figures 5 and 6).

Figure 5: Python library dependencies

 

Figure 6: Python API imports

 

The bad actor uses a .DMG file to spread the malware. After a user executes the file, it opens a fake password prompt to gather passwords using the following command line.

osascript -e display dialog "MacOS wants to access the System Preferences," with title "System Preferences" with icon caution default answer "" with hidden answer

Figure 7: Fake password prompt

 

Once the user enters their login credentials, the stealer gathers data as described in the MacStealer's features section. It stores it in the following system directory.

 

“/var/folders/{name}/{randomname}/T/{randomname}/files/{different folders}"

 

The stealer then ZIPs up the data and sends it to C2 via a POST request using a Python User-Agent request (figures 8 and 9). It deletes the data and ZIP file from the victim’s system during a subsequent mop-up operation.

Figure 8: Stealer collecting data [click to enlarge]

 

Figure 9: Sending a POST request

 

Figure 10: Sending archive file

 

Simultaneously, the stealer transmits selected information to the listed Telegram channels.

  • Telegram channel:

Figure 11: Sending basic information to the Telegram public channel

 

Once it has sent the compiled ZIP file to the C2, the latter shares the file with a threat actor's personal Telegram bot (figure 12).

  • Telegram bot:

Figure 12: Sending ZIP file to private Telegram bot

 

Figure 13 shows the exfiltrated files.

Figure 13: Exfiltrated ZIP file content

 

Uptycs EDR Detection

Uptycs EDR—armed with YARA process scanning, advanced detections, and the ability to correlate process file, process, and socket events—successfully detects the many tactics, techniques, and procedures (TTPs) carried out by the stealer.

 

Additionally, Uptycs EDR contextual detection provides additional details about the detected malware. You can navigate to the toolkit data section of the detection alert, then click a name to learn about its behavior (figure 14).

Figure 14: Uptycs event detection for MacStealer

 

IOCs

Name/Type

Indicator

weed.dmg

9b17aee4c8a5c6e069fbb123578410c0a7f44b438a4c988be2b65ab4296cff5e

MACH-O

6a4f8b65a568a779801b72bce215036bea298e2c08ec54906bb3ebbe5c16c712

C2 URL

hxxp[:]//mac[.]cracked23[.]site/uploadLog

C2 domain

mac[.]cracked23[.]site

C2 IP

89[.]116[.]236[.]26

Telegram 1

hxxps[:]//t[.]me/macos_stealer_2023

Telegram 2

hxxps[:]//t[.]me/macos_logsbot

Domain/URLs

By looking at the VirusTotal graph, the Uptycs research team concluded that more MacStealer samples have been spreading recently. Each file communicates using the same domain (mac[.]cracked23[.]site).

Figure 15: VirusTotal graph for macOS stealer

Related Hashes

SHA256 Hash

e51416f12f8c60e7593bef8b9fc55e04990aa047ad7e8abc22b511e7eb7586f6

1b5ef101ac0b3c0c98874546ec4277e6a926c36733ab824cece9212373559818

f14dd83e60b8ca6d52e667ed85adafa9b849df33e428b005b05b7c6732de526a

977cf1a74467e72b7fd9434bebd9e171a45b520ade960771b31f3bd5e9e4a5aa

5031aa79912fb23bcbe2209e015974fccb4b9e9334a9e8801833f07bd3a5ccfc

15d1afca780e2ea6ffec8c4862a3401e003b5e79ce5f9076b4eea4ab599bc4ce

821ecdae151ed78eb4792d40a7787127927900a763f3249b31f37d7b67b5e1e5

df71b5c99052b63de167f9c22b3cf6ded513ed6d1e1c74eff7af8cf9e4692714

1153fca0b395b3f219a6ec7ecfc33f522e7b8fc6676ecb1e40d1827f43ad22be

e01eec798a326a1e0beb767cdd0f185e19361871de82e23568042e9fc6128bb6

acef9f3f215335462e2e2e4bacbe6c52e48e764e7174fe46966e29902f6a1890

d61666b49ef700cbd59c744bf5fca2e850be55a52f415102cf3ea1c1c2db18d4

2abc380ad22c47db0035df1f0e6e00a7fabcb5d4afd913e2474478ea11ea6a63

7eed5a8f486aaba3948307f165a636df83857ab6cea21b8fd5e0ff758bb134b3

>61f3cd0a7c8191745080aa7b2e0695c3a57327f1f226d9fc7a4be3cee14a2375

1b0684ab02071f8bb03967866596efcea92a48e49f8b1013a6301653f7687e74

 

Observation

As per the malware distributor’s dark web forum post, they’ll be adding these feature updates to the stealer (figure 16).

Figure 16: Planned feature updates for MacStealer

 

The Uptycs threat research team ran a detailed investigation to better understand the functions and objectives of the actor modules. We found the distributor has a mass production order for MacStealer from other threat actors, thus the malware is likely to be spread more widely.

 

Conclusion

This article's summary covers the actions of this new stealer—including the utilities used in its attack kill chain. Notably, these malware programs affect a victim's computer running the latest version of macOS. A miscreant uses Telegram as a command and control platform to exfiltrate victims' sensitive data.

 

Uptycs recommends the following measures and actions:

  • Keep your Mac systems up-to-date with the latest updates and patches
  • Only permit the installation of files from trusted sources that allow ‘App Store’ or ‘App store and identified developers.’