A New, Cheaper Mac Stealer Is Quickly Spreading on the Dark Web
Summary:
A new macOS stealer, dubbed “Mac.c,” is gaining popularity on cybercriminal dark forums, offering lightning-fast data exfiltration for a price tag of $1500 per month. Developed by a threat actor known as “mentalpositive,” Mac.c is a stripped-down version of the notorious AMOS stealer and is designed for quick, high-impact data heists. According to researchers at Moonlock, who uncovered details of the new infostealer, Mac.c utilizes macOS’s own tools and scripts, specifically AppleScript, to identify and steal victim information from targeted systems. This includes:
“Features and integrations that the black hat hacker revealed included the ability of Mac.c to replace the original Ledger Live app, how he reduced the binary size of the file (for quicker downloads and potentially fewer detectable artifacts through static analysis), and the optimization of the administrative panel used by operators (those who buy the malware for use in attacks). On the operators’ panel, buyers can generate malware builds, track infections (including successful and failed attempts), and manage other campaign details,” note MoonLock researchers in their new blog post.
Security Officer Comments:
While Mac.c supports fewer features than AMOS, its lightweight design and ability to efficiently steal and exfiltrate data while bypassing defenses make it an attractive tool for adversaries alike. Moreover, the low purchase cost could open the door for less sophisticated and skilled actors to weaponize the stealer in attacks targeting macOS environments. According to MoonLock researchers, Mac.c is already being employed in attacks in the wild. Like any other info-stealer infections, Mac.c is likely distributed via phishing emails, compromising end-users who unsuspectingly click on malicious links or attachments. Upon execution, the Mac.c will use native tools like AppleScript to scan for known crypto wallets and pull local storage files or session artifacts, effectively stealing cryptocurrency funds. The malware will then proceed to steal information such as login details and cookies from browsers like Chrome, Edge, Brave, and Yandex, which is then exfiltrated to an attacker-controlled server. System credentials are also a target of interest, which are acquired through the use of prompt messages impersonating video games.
“If you’re unlucky enough to become a victim, you might even get to see how Mac.c pretends to be a game. During the second-stage payload launch, the stealer will generate a fake system prompt that impersonates a game requesting permissions. This is when you will see a pop-up with a fake system message that asks you to enter your Mac password to allow the game Innocent Witches to save its files..It will store this password in a plaintext file and use it anytime it needs to steal more data from your Mac. Dangerously enough, it also does this without you ever knowing what is going on,’” note MoonLock researchers.
Suggested Corrections:
https://moonlock.com/new-mac-stealer-spreading
A new macOS stealer, dubbed “Mac.c,” is gaining popularity on cybercriminal dark forums, offering lightning-fast data exfiltration for a price tag of $1500 per month. Developed by a threat actor known as “mentalpositive,” Mac.c is a stripped-down version of the notorious AMOS stealer and is designed for quick, high-impact data heists. According to researchers at Moonlock, who uncovered details of the new infostealer, Mac.c utilizes macOS’s own tools and scripts, specifically AppleScript, to identify and steal victim information from targeted systems. This includes:
- iCloud Keychain credentials
- Browser-stored passwords
- Crypto wallet data
- System metadata
- Even files from specific locations on macOS
“Features and integrations that the black hat hacker revealed included the ability of Mac.c to replace the original Ledger Live app, how he reduced the binary size of the file (for quicker downloads and potentially fewer detectable artifacts through static analysis), and the optimization of the administrative panel used by operators (those who buy the malware for use in attacks). On the operators’ panel, buyers can generate malware builds, track infections (including successful and failed attempts), and manage other campaign details,” note MoonLock researchers in their new blog post.
Security Officer Comments:
While Mac.c supports fewer features than AMOS, its lightweight design and ability to efficiently steal and exfiltrate data while bypassing defenses make it an attractive tool for adversaries alike. Moreover, the low purchase cost could open the door for less sophisticated and skilled actors to weaponize the stealer in attacks targeting macOS environments. According to MoonLock researchers, Mac.c is already being employed in attacks in the wild. Like any other info-stealer infections, Mac.c is likely distributed via phishing emails, compromising end-users who unsuspectingly click on malicious links or attachments. Upon execution, the Mac.c will use native tools like AppleScript to scan for known crypto wallets and pull local storage files or session artifacts, effectively stealing cryptocurrency funds. The malware will then proceed to steal information such as login details and cookies from browsers like Chrome, Edge, Brave, and Yandex, which is then exfiltrated to an attacker-controlled server. System credentials are also a target of interest, which are acquired through the use of prompt messages impersonating video games.
“If you’re unlucky enough to become a victim, you might even get to see how Mac.c pretends to be a game. During the second-stage payload launch, the stealer will generate a fake system prompt that impersonates a game requesting permissions. This is when you will see a pop-up with a fake system message that asks you to enter your Mac password to allow the game Innocent Witches to save its files..It will store this password in a plaintext file and use it anytime it needs to steal more data from your Mac. Dangerously enough, it also does this without you ever knowing what is going on,’” note MoonLock researchers.
Suggested Corrections:
- Download only from trusted sources: Stick to the App Store or verified developer sites.
- Be wary of phishing links: Don’t click on suspicious emails, ads, or pop-ups.
- Use security software: Tools like CleanMyMac and other anti-malware can flag threats early.
- Keep macOS updated: Regular system updates can patch security gaps.
- Protect your crypto: Store wallets on hardware devices or secure apps, not just in browsers.
https://moonlock.com/new-mac-stealer-spreading