MacStealer macOS Malware Detection: Novel Malicious Strain Steals User Credentials from iCloud KeyChain

Heads up! A novel infostealer is making a splash in the cyber threat arena targeting macOS users. Cybersecurity researchers have observed a novel MacStealer macOS malware that steals user credentials and other sensitive data stored in the iCloud KeyChain, web browsers, and crypto wallets. 

Detecting MacStealer MacOS Malware

Being yet another infostealing malware surfacing in the cybercriminal arena within the latest month, MacStealer gains popularity on the underground forums due to its relatively low price and broad malicious capabilities. To tune up security protections against novel malware strains, security practitioners need a reliable source of detection content to spot possible attacks at the earliest stages of development. 

SOC Prime’s Detection as Code platform serves a dedicated Sigma rule by our seasoned Threat Bounty developer Mustafa Gurkan KARAKAYA to detect possible MacStealer infections.

Suspicious MacStealer Malware Exfiltration Web Traffic (via proxy)

The rule above detects POST requests made by MacStealer malware to URI paths known to be associated with Command and Control servers utilized by MacStealer for the exfiltration of zip files of stolen data. The detection is compatible with 18 SIEM, EDR, and XDR platforms and mapped to MITRE ATT&CK® framework v12 addressing Exfiltration tactics, with Exfiltration Over C2 Channel (T1041) as main technique. 

Threat Hunters and Detection Engineers eager to hone their Sigma and ATT&CK skills and help others defend against emerging threats can tap into the SOC Prime Threat Bounty Program. By joining this crowdsourcing initiative, cybersecurity experts can write their own Sigma rules mapped to ATT&CK, share them with the global cyber defender community, and receive recurring payouts for contributions.

To instantly reach a set of Sigma rules detecting info-stealing malware families, hit the Explore Detections button below. Drill down the comprehensive cyber threat context, including MITRE ATT&CK references, threat intelligence, executable binaries, and mitigations for streamlined threat research.

Explore Detections

MacStealer Attack Chain Analysis

Security researchers observe a growing number of malware-as-a-service (MaaS) deals based on this revenue model, with threat actors enriching their adversary toolkit and enhancing offensive capabilities. The MaaS revenue model has gained momentum over the last couple of years, contributing to the massive distribution of different malware strains, like Eternity malware and RedLine Stealer.

In March 2023, another infostelaing malware dubbed MacStealer and spread using the MaaS model came to the cyber threat arena. MacStealer macOS malware can grab user passwords, cookies, and credit card details from popular web browsers and the iCloud KeyChain database, as well as extract multiple types of files to steal sensitive data. 

According to the report by Uptycs cybersecurity researchers who revealed the novel malware strain, the MacStealer infostealing malware can affect macOS Catalina and successive software versions that run on Intel M1 and M2 CPUs.

Threat actors distribute MacStealer via a .dmg file. Once executed, the latter applies a fraudulent password prompt to collect user credentials by leveraging a specific command-line operation. As soon as the victim provides their login credentials, MacStealer steals the compromised data and stores it in the system directory. After archiving the stolen user data, the malware sends it to the C2 server using a POST request and afterward removes the data along with the corresponding ZIP file. The remote C2 server also shares the ZIP file with the pre-configured Telegram bot used by hackers enabling them to exfiltrate the data retrieved from the compromised system.

With the growing volumes of MaaS-distributed malware strains targeting Windows, Linux, and macOS users, cyber defenders are looking for relevant detection content that can be instantly available and applied across multiple security solutions helping organizations overcome SIEM migration challenges. SOC Prime’s platform-agnostic and multi-cloud approach enables security teams to reduce development time and optimize migration costs by leveraging Uncoder AI, the AI-assisted tool for advanced detection engineering. Unleash the power of AI to write flawless detection code and convert it to 27+ SIEM, EDR, and XDR solutions on the fly.