Malware

MacStealer: Mac Trojan malware steals passwords, wallets, and files

Posted on by

MacStealer is one of three new Mac-infecting malware families that came to light in March (the others being FakeGPT and SmoothOperator).

Let’s take a look at what MacStealer does, who’s behind the campaign, and how you can avoid or clean up an infection.

What should I know about MacStealer?

MacStealer is new commercial Mac malware being sold on the dark web by its supposed developer. It was first advertised in February and was discovered by security researchers in March. Its primary purpose is to allow an attacker to gather and exfiltrate sensitive data from a victim’s computer.

One main type of data that MacStealer targets is the victim’s passwords. It attempts to extract passwords from the macOS Keychain, as well as saved passwords in Brave, Google Chrome, and Mozilla Firefox browsers. Additionally, it will attempt to steal Web sites’ session cookies, as well as saved credit card data, and cryptocurrency wallets from these browsers.

MacStealer also collects and exfiltrates documents with a variety of filename extensions, including those associated with Microsoft Office, plain text, PDF, graphics and photos, MP3 music, archives, and other file formats.

Why does MacStealer collect cookies?

Although cookies might seem like a strange thing to collect, it’s important to understand that the exfiltration of stay-logged-in cookies can give the malware distributor direct access to the victim’s accounts, just as if the malware distributor knew the victim’s username, password, and two-factor authentication method—but without all that trouble.

This is because most Web sites rely on users staying logged in indefinitely, often for the user’s convenience. But sites like Google and Facebook have a vested interest in using stay-logged-in cookies, because it allows these companies to track where else users go on the Internet, which can then be used to push more relevant ads to the user.

The problem is, if bad guys can get ahold of those same cookies and put them on another computer in their control, they will be logged in exactly as though they are that user. This allows the attacker to do just about anything the victim would be able to do with their own accounts.

Another malware family that surfaced in March, namely FakeGPT browser extension malware, was specifically designed to steal Facebook cookies to facilitate account takeovers.

FakeGPT: Trojanized ChatGPT Chrome extensions hijack Facebook accounts

How do MacStealer-based Trojans work?

When a victim runs a Trojan horse app based on MacStealer, they are prompted to enter their password into a fake dialog box that loosely mimics a macOS system message. After entering their password, the malware goes about its business of collecting data from the system uninhibited.

After the data has been collected, it is exfiltrated to an attacker-controlled Web server as well as to an attacker-controlled bot using the secure messaging service Telegram.

How can one remove or prevent MacStealer and other Mac malware?

Intego X9 software boxes

Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate this malware.

If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on a wide range of Mac hardware and operating systems, including the latest Apple silicon Macs running macOS Ventura.

If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from PC malware.

Note: Intego customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected from this threat. It is best to upgrade to the latest versions of VirusBarrier and macOS, if possible, to ensure your Mac gets all the latest security updates from Apple.

How can I learn more?

For additional technical information about MacStealer malware, you can refer to the detailed write-up by Shilpesh Trivedi of Uptycs.

We discussed MacStealer on episode 285 of the Intego Mac Podcast:

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →