Security researchers have found a new piece of malware named “MacStealer” that is designed to extract sensitive data from Macs, including passwords and credit card information stored in the keychain and Chrome browser. This malware is particularly interested in crypto wallets and aims to access a long list of document types. It is distributed unsigned, and users have to run the malware themselves and fall for a dialog that supposedly asks for the login password to access the system settings. The program is called “Weed,” according to screenshots. The provider warns that the MacOS Stealer is still a beta, and further customization options will follow later.
MacKeeper’s security researcher team has found that this malware is offered as a service on Dark Web hacking forums for $100, and it is said to work on all recent macOS versions up to macOS 13 Ventura, as well as on Intel and newer ARM Macs. This is the first Mac variant found to use Telegram as a control center, though several Windows malware samples have already been found this year using Telegram.
The malware is able to use the password to access the login keychain and access data from other browsers, but it cannot steal Safari’s password database or iCloud keychain just yet. According to the provider, they are working on it. The theft of Safari keychain is not yet supported. Mac users are advised to update their software and only download software from trusted sources.
In screenshots documented by Uptycs, it is warned that the tool is being offered for little money because one of the programmers got infected with Covid, and another “scammer” is trying to sell the malware for a lot of money. Nevertheless, numerous orders for the malware have been received, and it can be expected that it will soon spread further. It is important for users to be alert and to not fall for dialogs asking for login passwords.