Emerging Threat: The Mac.c Malware on the Dark Web
The landscape of cyber threats continues to evolve, with the recent emergence of a macOS malware known as Mac.c making headlines. Marketed predominantly on darknet forums, this malware offers rapid data exfiltration capabilities for $1,500 a month, representing a troubling development for both individual users and organizations alike.
Overview of Mac.c
Created by the threat actor known as mentalpositive, Mac.c is presented as a streamlined alternative to the established AMOS stealer. Its design focuses on capturing sensitive data such as user credentials, cryptocurrency wallets, and system metadata, all while minimizing its operational footprint. Initial analyses indicate that Mac.c effectively utilizes native macOS tools and APIs, allowing it to remain concealed and operate under the radar. This is particularly concerning given its potential impact on both enterprise environments and everyday consumers.
Rapid Deployment and Detection
Reports suggest that Mac.c is already active and spreading quickly. Detection efforts have identified the malware in various users of CleanMyMac, highlighting its real-world ramifications. The marketing materials shared by mentalpositive emphasize key features of the malware, including its small binary size and advanced evasion techniques, making it appealing to a wide range of malicious actors.
Operators using Mac.c benefit from a user-friendly control panel that allows them to create unique builds, monitor infections, and manage campaigns through a dedicated web interface. This accessibility is likely to attract less experienced criminals looking to operate within the macOS malware domain.
Technical Insights: Design and Functionality
Moonlock analysts have drawn parallels between Mac.c and AMOS, noting that while Mac.c’s modular structure reflects that of its predecessor, it lacks some of AMOS’s more advanced features, such as automated keylogging and extensive wallet targeting.
Despite this, Mac.c’s overall design results in a more agile tool, which could cater to emerging criminals in the macOS ecosystem. A notable feature of Mac.c is its use of staged communication methods, allowing it to utilize standard system utilities for operations. This is achieved by leveraging AppleScript and built-in command-line tools, thereby reducing its external dependencies and minimizing the trace left for forensic investigations.
Data Exfiltration Methods
Mac.c initiates its data theft by spawning an AppleScript process to extract sensitive Keychain entries. Following this, the stolen data is compressed and dispatched via encrypted HTTPS channels to servers controlled by the attackers. The meticulous craftsmanship involved in this data exfiltration method not only enhances stealth but also successfully bypasses many conventional endpoint defenses.
Reports have indicated that Mac.c has been found in real macOS environments. CleanMyMac telemetry has detected multiple variants of the malware, such as Installer.dmg and Installer(1).dmg, with one masquerading as a cracked Adobe installer—Installer descrakeador adobe.dmg.
Infection Mechanism and Persistence
The infection process for Mac.c typically begins with the distribution of a phishing email or through malvertising tactics. This leads unsuspecting users to download what seems to be a harmless macOS installer. Once executed, the malware embeds a launch agent into the user’s Library directory, ensuring its persistence across system reboots.
Here’s how it accomplishes this:
xml
<?xml version="1.0" encoding="UTF-8"?>
Once installed, the malware utilizes AppleScript to actively harvest items from the Keychain and credentials stored in various browsers such as Chrome, Edge, Brave, and Yandex. By exploiting legitimate scripting interfaces, Mac.c maintains a low profile while generating significant data theft, solidifying its position as a formidable threat in the macOS malware landscape.
As cyber threats like Mac.c continue to develop, it’s crucial for users and organizations to remain vigilant, adopt robust security measures, and stay informed about emerging risks.
