As cybersecurity threats continue to evolve, a new macOS malware called MacStealer has emerged, posing a significant risk to users. This malicious software, discovered by the Uptycs threat research team, is capable of extracting sensitive data, documents and login credentials from macOS systems. It uses Telegram for its command and control operations. In this blog post, we will provide an overview of MacStealer, how it works and how Jamf Protect ensures your macOS devices are protected against this threat.
Threat: MacStealer
A new macOS malware variant, dubbed MacStealer, has been discovered and linked to a threat actor distributing the malicious code via the dark web. This stealer can extract a variety of files, browser cookies, and login information from a victim's system. It also has the ability to collect passwords, cookies and credit card data from popular browsers like Firefox, Google Chrome and Brave.
Affects:
MacStealer targets macOS systems running Catalina and subsequent versions on Intel, M1 and M2 CPUs. It is expected to become more widespread due to its high demand among threat actors.
Prevented by:
Jamf Protect threat prevention blocks the execution of MacStealer, effectively safeguarding your macOS devices from this malicious software. It is essential to keep your Mac systems up-to-date with the latest updates and patches and only install files from trusted sources.
Malicious URLs:
MacStealer communicates with command and control servers via Telegram channels, utilizing the popular messaging platform — known for its privacy protections — for its operations.
Conclusion
MacStealer is a growing threat to macOS users and it's crucial to stay informed about the latest cybersecurity risks. Jamf Protect ensures your macOS devices are protected against this malware, allowing you to maintain the security of your systems. Keep your Mac devices updated with the latest patches and exercise caution when installing files from untrusted sources to minimize the risk of falling victim to MacStealer and other cyber threats.
IOCs (as discovered by Uptycs)
SHA1 Hashes:
C2 URL:
hxxp[:]//mac[.]cracked23[.]site/uploadLog
C2 domain:
mac[.]cracked23[.]site
Telegram channels:
hxxps[:]//t[.]me/macos_stealer_2023
hxxps[:]//t[.]me/macos_logsbot
Don't wait until an incident occurs to look into getting the best-of-breed endpoint security for Apple.
Try out Jamf Protect and start securing your devices, users and data today...they'll all thank you for it!
Jamf and Truesec present: The 2023 Threat Landscape
macOS Security Basics series: The One About Macs (Not) Getting Malware
Evasive cryptojacking malware targeting macOS found lurking in pirated applications
BlueNoroff strikes again with new macOS malware
by Category:
Have market trends, Apple updates and Jamf news delivered directly to your inbox.
To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.