Scary ‘MacStealer’ malware goes after iCloud passwords and credit card data

Security researchers have published a report detailing the arrival of new malware that goes after sensitive data that’s stored on your Mac, including passwords and credit card data. According to the security team at Uptycs, the “MacStealer” malware can attack Macs running macOS Catalina or later, with either Intel or Apple M-series chips.

Uptycs found that MacStealer can get passwords, cookies, and credit card data from Firefox, Google Chrome, and Microsoft Brave browsers. It can extract several different file types, including, .txt, .doc, .jpg, and .zip, and it can extract the KeyChain database. According to information Uptycs gathered from the dark web, MacStealer’s makers are working on the ability to harvest Safari passwords and cookies, as well as data in the Notes app.

“The bad actor uses a .DMG file to spread the malware. After a user executes the file, it opens a fake password prompt to gather passwords using the following command line,” according to Uptycs’ report. MacStealer appears to propagate through a “weed.dmg” executable file. When the “weed” app launches, a pop-up appears, stating that “MacOS wants to access the System Preferences” and a box below that is for the user to enter the account password.

After that, MacStealer goes to work, gathering the data, compressing it as a Zip file, sending it to the MacStealer maker, and then deleting the stolen data to hide its tracks. The maker then hands the data off to whoever contracted MacStealer.

Uptycs found MacStealer through “dark web hunting,” where the maker posted about MacStealer’s abilities and its availability to bad actors for $100 per build. It’s unknown how the “weed.dmg” is distributed by the bad actor, but the DMG file only needs to be launched for a Mac to be infected.

It’s unclear if MacStealer has been logged in the CVE.report database that tracks vulnerabilities and exposures, and Apple has not commented on the malware. Apple released updates for macOS Big Sur, Monterey, and Ventura on Monday, but based on the security notes, those updates do not appear to include patches for MacStealer.

Still, Apple releases security patches through OS updates, so it’s a good idea to keep your Mac up to date. When you need to download software, get it from trusted sources, such as the App Store (which makes security checks of its software). Also, check out our guide to the best antivirus software for Mac.