Rising Threat: New macOS Infostealer Malware Emerges
A new player in the realm of malware has surfaced, particularly targeting macOS users. This infostealer, dubbed Mac.c, has quickly gained traction in the underground malware-as-a-service (MaaS) landscape. Developed by a hacker known as “mentalpositive,” Mac.c is a refined version of the infamous Atomic MacOS Stealer (AMOS), designed for swift data extraction with a minimal impact.
How Mac.c Operates
Mac.c employs native macOS tools such as AppleScript and various system APIs to execute its operations discreetly. This method allows the malware to simulate legitimate processes, enabling it to slip past conventional endpoint detection and response (EDR) systems. By reducing its dependence on external resources, Mac.c enhances its evasion capabilities, effectively disguising itself within trojanized installers masquerading as ordinary applications—frequently cracked versions of popular software like Adobe products.
The Development Journey of Mac.c
Recent observations from Moonlock Lab reveal that mentalpositive has adopted an unusually transparent method in developing Mac.c. He has consistently shared snippets of code, updates, and enhancements on dark web forums over several months. This open approach appears aimed at building a user base while establishing credibility in the macOS MaaS sector.
Key Features of Mac.c
Among the significant advancements are size optimizations to diminish identifiable artifacts during static analysis, a remote file grabber managed through an admin control panel, and expanded compatibility with various web browsers. Notably, Mac.c includes a module specifically focused on phishing Trezor cryptocurrency wallet seed phrases. Its dynamic build generation further allows it to outmaneuver Apple’s XProtect antivirus signatures, ensuring each iteration maintains a unique obfuscation.
Analysis of the code suggests that there may be closer ties to AMOS, hinting at possible code reuse or collaboration. Nevertheless, mentalpositive has professed a commitment to “fair business” practices to avoid conflicts with established developers like those behind AMOS.
Attack Vectors and Techniques
Mac.c primarily initiates its attack cycle through phishing. It deploys a main payload that transitions to a secondary phase utilizing AppleScript for credential collection. The malware specifically targets sensitive information, including:
- iCloud Keychain entries
- Passwords stored in popular browsers (Chrome, Edge, Brave, and Yandex)
- Cryptocurrency wallet data from extensions such as MetaMask, Phantom, and Binance
Additionally, it scavenges system metadata and files located in predefined directories.
Deceptive Prompts
One of Mac.c’s more alarming tactics involves creating fake system prompts. For instance, it can impersonate game dialogues, such as those from “Innocent Witches,” to trick users into inputting their passwords. This collected information is stored in plaintext, making it readily accessible for unauthorized use.
The malware orchestrates data exfiltration through staged communications to servers controlled by the attackers, with a significant focus on pilfering cryptocurrency assets. This is particularly concerning for cryptocurrency enthusiasts, as Mac.c can facilitate swift theft of digital assets, including NFTs and stablecoins, often without immediate detection by the user.
Implications for the Cybersecurity Landscape
Mac.c’s pricing model significantly undercuts its competitors. Offered at a subscription rate of $1,500 per month, along with a one-time fee of $1,000 for the Trezor phishing module, it provides sophisticated infostealer capabilities to a broader range of threat actors. By comparison, AMOS charges $3,000 monthly, positioning Mac.c as a more accessible option for less-resourced individuals.
Moonlock Lab confirms the operational effectiveness of Mac.c, with live samples intercepted among users of their CleanMyMac software. These samples are often disguised under filenames such as Installer.dmg or Installer descrakeador adobe.dmg. Although detections have averted breaches, they indicate active distribution campaigns, likely facilitated through malicious advertising and phishing.
The Cost of Popularity
Even though Mac.c may not offer features as extensive as AMOS, its focus on speed and cost efficiency has attracted a growing user base among cybercriminals. This rise could potentially disrupt the existing macOS infostealer hierarchy, creating new rivalries, although mentalpositive’s efforts for amicable relationships with peers indicate a desire for coexistence.
Nevertheless, the analytics from Moonlock Lab stress the importance of enhancing behavioral detection methods in macOS security tools. The traditional reliance on signature-based detection is increasingly inadequate against such stealthy threats.
Best Practices for macOS Users
For individuals using macOS, staying vigilant against suspicious downloads and verifying system prompts is paramount, especially for those handling cryptocurrency wallets. As Mac.c exemplifies, the evolution of the MaaS market reveals how lower barriers to entry and open development practices can accelerate the proliferation of tailored malware, representing a growing threat to endpoint security across Apple devices.
For the latest updates on cybersecurity threats, consider following us on Google News, LinkedIn, and X for instant information.
