May 30 Webinar | SOC Talk: Automating Threat Response
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
May 01, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Throughout 2023, the ReliaQuest Threat Research Team has observed significant enhancements in the capabilities of information stealers (infostealers) that target the macOS operating system. Infostealers have become increasingly popular malware for cybercriminals, capable of collating and distributing information from a targeted system to an attacker. They often operate within a malware-as-a-service (MaaS) model, with the infostealer’s creator licensing it for use to other parties. This significantly lowers the entry barrier for less technically sophisticated threat actors.
With these points in mind, we’ve compiled a list of five significant macOS infostealers that you should familiarize yourself with.
The “XLoader” macOS stealer is an evolution of “Formbook,” an older, Windows-based counterpart. When XLoader first appeared in June of 2021, it was advertised for $49 on cybercriminal forums. Early iterations of XLoader affected Windows OS. It was delivered as compiled binaries or JAR files via spoofed emails containing malicious Microsoft Office documents. Delivering JAR files requires a local Java Runtime Environment installation, significantly limiting XLoader’s scope for attacks.
In August 2023, security researchers discovered an updated version of XLoader in the wild. This latest version targets macOS systems and is bundled inside a DMG file masquerading as a legitimate productivity application named OfficeNote. Samples of the updated infostealer showed a valid developer signature (which Apple has since revoked).
Once installed, the stealer attempts collect clipboard data and to extract user credentials from the Mozilla Firefox and Google Chrome browsers. At the time of writing, ReliaQuest has observed this version of XLoader being advertised on cybercriminal forums for as little as $199 per month.
According to an advertisement on a prominent Russian-language cybercriminal forum, “Atomic Stealer” can exfiltrate credentials and financial or cryptocurrency-related information. It was first advertised for sale on Telegram on April 9, 2023, and has since been advertised on forums for $1,000 per month.
Once a target clicks a compromised link or visits a malicious website hosting Atomic Stealer, the initial payload is downloaded as a DMG installer file. Atomic Stealer then attempts to gather the user’s system password by presenting the target with a fake dialog box, created using osascript which prompts them to enter their macOS password to access System Preferences. This simple method uses the “hidden answer” parameter to appear more legitimate: Dots appear in place of the cleartext password, but the password is still captured within system logs. Entering a password spawns/usr/bin/dscl with the authonly option to check whether the supplied password is correct.
/usr/bin/dscl
authonly
The /usr/bin/dscl utility refers to the macOS Directory Service command-line utility, which is used to create, read, and manage directory service data. The authonly parameter is used to verify the password of a named user. If the password is incorrect, the password-prompt dialog box will continue to pop up until the correct user and password combination is supplied. An example command is as follows.
osascript -e display dialog 'MacOS wants to access System Preferences Please enter your password.' with the title 'System Preferences' with icon file 'System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns' default answer "" giving up after 30 with hidden answer
Prior to exfiltrating data, the stealer compiles the collected information and compresses it into a base-64–encoded ZIP file. In every sample we observed, all communications were directed to amos-malware[.]ru/sendlog at the IP address 94.142.138.177 via an HTTP POST request over port 443. Data is also sent to the attacker-controlled Telegram channel along with this ZIP file.
In addition to the system password, Atomic Stealer extracts information from the macOS-native password-management tool, Keychain. Keychain stores such credentials as website logins, Wi-Fi passwords, and credit-card details. In addition, Atomic Stealer can retrieve credential and cookie information from various browsers, including Mozilla Firefox, Brave, Google Chrome, and Microsoft Edge.
Atomic Stealer can also steal cryptocurrency wallet information. To target desktop wallets, the stealer application file queries directories associated with Electrum, Coinomi, Binance, Exodus, and Atomic. For web wallets, the stealer can extract data from a long list of cryptocurrency-wallet browser extensions, including Metamask, Oxygen, Auro, and Phantom.
First observed in March 2023, “MacStealer” targets macOS versions Catalina (macOS 10) to Ventura (macOS 13), as well as subsequent macOS versions using Intel M1 and M2 CPUs. Threat actors have advertised MacStealer on cybercriminal forums for as little as $100. The low price reflects the initial release’s lack of a web-administration panel and builder; some infostealers are offered with a web-panel management feature, enabling the attacker to access and manipulate logs from the administration panel.
Like Atomic Stealer, MacStealer is initially downloaded as a DMG installer file that contains the malware’s APP file. MacStealer and Atomic Stealer differ in the browsers they support and their method of collecting desktop files. MacStealer can only collect passwords, cookies, and credit- card information from the Firefox, Chrome, and Brave browsers by querying file directories associated with those browsers (such as \Login Data, \Cookies, login.json, cookies.sqlite). MacStealer can harvest popular file types associated with sensitive data, such as Microsoft Office files and archives. However, unlike Atomic Stealer, MacStealer is not limited to the Desktop and Documents folders. At the time of writing, MacStealer can extract files from the following file types: TXT, DOC, DOCX, PDF, XLS, XLSX, PPT, PPTX, JPG, PNG, CSV, BMP, MP3, ZIP, RAR, PY, and DB.
MacStealer can also extract the Keychain database. In samples we observed, this was accomplished through the native “security” command. The “security” utility is used for administering keychains, keys, certificates, and the security framework. The following command is used to display the default keychain, which is typically mapped to the login.keychain-db database.
security default-keychain
MacStealer uses the native macOS osascript utility to masquerade as a legitimate system prompt, enabling it to gather a user’s password. The malware typically compresses and exfiltrates the collected data through its command-and-control (C2) infrastructure, often via Telegram channels and bots. In the samples we analyzed, collected data was placed within a directory matching the following convention.:
/var/folders/}//T//files/
This is followed by the exfiltration of data via a POST request to hxxp://mac.cracked23[.]site/uploadLog using a Python user-agent.
“ShadowVault” was discovered in June 2023 and has been advertised on prominent Russian-language cybercriminal forums for $500 per month. Its initially advertised capabilities include many of those featured in Atomic Stealer. After ShadowVault was first advertised, the initial advertiser of Atomic Stealer commented that the ShadowVault listing was a scam and had been copied from the “OSX” malware advertised previously. At the time of writing, we have observed no intelligence to corroborate that claim.
ShadowVault’s developers offer a build signed with a legitimate Apple Developer signature for an additional fee. Using a valid signature enables threat actors to mimic legitimate software. It may also allow the malware to bypass detections by security mechanisms while giving the user more confidence to interact with, and execute, the binary.
Discovered by researchers in July 2023, Realst is the latest macOS infostealer written in Rust. The malware is packaged as PKG and DMG files masquerading as blockchain games. Social-engineering methods are also used for distribution, with attackers contacting potential targets via social media to advertise the fake games.
Like other macOS infostealers, Realst attempts to retrieve data from the Firefox, Chrome, Opera, Brave, and Vivaldi browsers. (As with many macOS infostealers, Safari is not targeted.) AppleScript spoofing techniques are also used to harvest the user’s password via a fake prompt. Observed Realst samples refer to macOS 14 Sonoma (still only in beta release), which indicates concentrated efforts in development to target future macOS versions.
macOS environments have been perceived as relatively resistant to threats that commonly plague other widely used operating systems. However, as the prevalence of macOS grows within organizations globally, threat actors have begun to see it as a valuable target. ReliaQuest dark-web monitoring has revealed an extensive network of macOS-focused buyers and developers.
For example, a user of a high-profile cybercriminal forum offered $50,000 to a developer who could create a macOS stealer. They specified that it would need to also work as a conventional stealer targeting Windows and must be able to bypass Chromium alerts. We observed other evidence of interest in development to enable Gatekeeper checks to be bypassed and to enable Full Disk Access and other macOS security controls.
ReliaQuest recommends taking the following steps to minimize the threat of MacOS infostealers:
At ReliaQuest, we understand the importance of staying one step ahead of the malicious threats that can impact your organization. That’s why our security operations platform, GreyMatter, uses advanced detection rules we’ve specifically designed to identify malware—including infostealers—and stop them in their tracks before the worst can happen.
GreyMatter automates the high-time, low-brain activities of your security teams, leaving them free to focus on strategic improvements to your security posture that can help you better defend against malware.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.