Our malware articles typically concern either Android or Windows, but Apple users occasionally have to deal with malicious software of their own. For instance, the Moonlock Lab cybersecurity team recently discovered a macOS malware strain that can easily evade detection.
As the researchers explain, the infection chain begins when a Mac user visits a site in search of pirated software. On the site, they might download a file titled CleanMyMacCrack.dmg, believing that the file is a cracked version of the Mac cleaning software, CleanMyMac. After launching that DMG file on their computer, a Mach-O file is executed, which downloads an AppleScript capable of stealing sensitive information from the Mac.
Here’s everything the malware can do once it infects a macOS computer:
- Collects and stores the Mac owner’s username
- Sets up temporary directories to store stolen data before exfiltration
- Extracts browsing history, cookies, saved passwords, and more from browsers
- Identifies and accesses common directories containing cryptocurrency wallets
- Copies macOS keychain data, Apple Notes data, and cookies from Safari
- Gathers general user information, system details, and metadata
- Exfiltrates all the stolen data to threat actors
Moonlock claims that the macOS malware appears to be linked to well-known Russian-speaking threat actor Rodrigo4. The hacker was reportedly seen on the XSS underground forum recruiting other hackers to help distribute his stealer through SEO manipulation and ads.
If you want to avoid this macOS malware from infecting your computer, Moonlock recommends only downloading software from trusted sources, keeping your operating system and all of your apps updated, and using security software you trust.