Hackers Distribute MacStealer MaaS to Target Mac Users

Promoting the MaaS model

• MacStealer was first discovered on online hacking forums earlier this month, where the malware author advertised the pre-built DMG payloads as a MaaS without panels or builders.
• The post promoting the malware promises to add features to capture data from Apple's Safari browser and the Notes app.
• It is designed to harvest Microsoft Office files, images, archives, browser cookies, login information, and Python scripts.
• It can infect Catalina (10.15) up to the latest version of Ventura (13.2).
• Additionally, the post claims to compromise cryptocurrency wallets such as Coinomi, Exodus, MetaMask, Phantom, Tron, Martian Wallet, Trust wallet, Keplr, and Binance.

How is it delivered?

• According to Uptycs researchers, the malware is propagated as a DMG file (weed[.]dmg) that poses as something the victim is tricked into executing on their macOS.
• The file opens a fake password prompt upon execution to harvest the passwords. It pretends to seek access to the System Settings app.
• The malware stores the stolen data in a ZIP file and uses Telegram as a C2 platform to exfiltrate data. 
• Subsequently, MacStealer sends some basic information to a pre-configured Telegram channel, which notifies the operator about the theft.

Wrapping up