MacStealer was discovered by the security team at Uptycs, a company specializing in cybersecurity solutions. According to the Uptycs report, MacStealer is a malicious program that uses Telegram as a command and control (C2) platform to steal data.
It can hijack passwords, cookies and credit card data from different browsers like Firefox, Google Chrome and Brave. In addition, it can extract various types of files, including txt, doc, jpg and zip. The virus can also access Keychain, the macOS protected area where user account passwords are stored.
MacStealer primarily affects macOS versions Catalina and later on M1 and M2 CPUs. The malicious file was announced on hacker forums in early March 2023 and has been receiving improvements from its creators, who have developed ways for the virus to also collect passwords and Safari cookies and notes.
The virus disguises itself as a DMG file (weed.dmg) which, when executed, opens a fake password prompt. This prompt attempts to trick the user into entering their system password, thereby giving the malware access to settings and sensitive data.
After gathering the stolen data, MacStealer compresses it into a zip file and sends it to the malware creator, deleting the stolen information to hide its tracks. That’s when the final transaction takes place, between the person behind it and the individual who hired it.
The best way to protect yourself is to keep your devices up to date with the security suites offered by Apple. Also, it’s important not to install apps outside the Apple store and to avoid putting your password inside apps without control.
It is also recommended to use a reputable antivirus and make regular backups of your data. This way, you can prevent your information from being stolen or lost due to MacStealer or other malware.
