Throughout 2023, the ReliaQuest Threat Research Team has observed significant enhancements in the capabilities of information stealers (infostealers) that target the macOS operating system. Infostealers have become increasingly popular malware for cybercriminals, capable of collating and distributing information from a targeted system to an attacker. They often operate within a malware-as-a-service (MaaS) model, with the infostealer’s creator licensing it for use to other parties. This significantly lowers the entry barrier for less technically sophisticated threat actors.  

macOS Infostealers: Bottom Line Up Front 

  • Over the past year, rapid development of malware-as-a-service information stealers (MaaS infostealers) has focused on macOS environments. This growing trend highlights an escalating demand for macOS-specific malware capabilities. 
  • Many macOS infostealers share similar techniques such as AppleScript spoofing, browser credential theft, and cryptowallet information theft in the browser and desktop.  
  • Organizations can and should take a number of steps applicable to this family of malware to mitigate the risk of macOS infostealers within their environment

With these points in mind, we’ve compiled a list of five significant macOS infostealers that you should familiarize yourself with.  

Don’t Call It a Comeback: XLoader Revamps to Target macOS 

The “XLoader” macOS stealer is an evolution of “Formbook,” an older, Windows-based counterpart. When XLoader first appeared in June of 2021, it was advertised for $49 on cybercriminal forums. Early iterations of XLoader affected Windows OS. It was delivered as compiled binaries or JAR files via spoofed emails containing malicious Microsoft Office documents. Delivering JAR files requires a local Java Runtime Environment installation, significantly limiting XLoader’s scope for attacks.  

In August 2023, security researchers discovered an updated version of XLoader in the wild. This latest version targets macOS systems and is bundled inside a DMG file masquerading as a legitimate productivity application named OfficeNote. Samples of the updated infostealer showed a valid developer signature (which Apple has since revoked).   

Once installed, the stealer attempts collect clipboard data and to extract user credentials from the Mozilla Firefox and Google Chrome browsers. At the time of writing, ReliaQuest has observed this version of XLoader being advertised on cybercriminal forums for as little as $199 per month. 

Crypto Enthusiasts Beware: Atomic Stealer 

According to an advertisement on a prominent Russian-language cybercriminal forum, “Atomic Stealer” can exfiltrate credentials and financial or cryptocurrency-related information. It was first advertised for sale on Telegram on April 9, 2023, and has since been advertised on forums for $1,000 per month.

Once a target clicks a compromised link or visits a malicious website hosting Atomic Stealer, the initial payload is downloaded as a DMG installer file. Atomic Stealer then attempts to gather the user’s system password by presenting the target with a fake dialog box, created using osascript which prompts them to enter their macOS password to access System Preferences. This simple method uses the “hidden answer” parameter to appear more legitimate: Dots appear in place of the cleartext password, but the password is still captured within system logs. Entering a password spawns/usr/bin/dscl with the authonly option to check whether the supplied password is correct.

The /usr/bin/dscl utility refers to the macOS Directory Service command-line utility, which is used to create, read, and manage directory service data. The authonly parameter is used to verify the password of a named user. If the password is incorrect, the password-prompt dialog box will continue to pop up until the correct user and password combination is supplied. An example command is as follows.

osascript -e display dialog 'MacOS wants to access System Preferences Please enter your password.' with the title 'System Preferences' with icon file 'System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns' default answer "" giving up after 30 with hidden answer

Prior to exfiltrating data, the stealer compiles the collected information and compresses it into a base-64–encoded ZIP file. In every sample we observed, all communications were directed to amos-malware[.]ru/sendlog at the IP address 94.142.138.177 via an HTTP POST request over port 443. Data is also sent to the attacker-controlled Telegram channel along with this ZIP file.  

Figure 1: Atomic Stealer osascipt spoofing password-prompt box image

In addition to the system password, Atomic Stealer extracts information from the macOS-native password-management tool, Keychain. Keychain stores such credentials as website logins, Wi-Fi passwords, and credit-card details. In addition, Atomic Stealer can retrieve credential and cookie information from various browsers, including Mozilla Firefox, Brave, Google Chrome, and Microsoft Edge.  

Atomic Stealer can also steal cryptocurrency wallet information. To target desktop wallets, the stealer application file queries directories associated with Electrum, Coinomi, Binance, Exodus, and Atomic. For web wallets, the stealer can extract data from a long list of cryptocurrency-wallet browser extensions, including Metamask, Oxygen, Auro, and Phantom. 

The New Kid on the Block: MacStealer 

First observed in March 2023, “MacStealer” targets macOS versions Catalina (macOS 10) to Ventura (macOS 13), as well as subsequent macOS versions using Intel M1 and M2 CPUs. Threat actors have advertised MacStealer on cybercriminal forums for as little as $100. The low price reflects the initial release’s lack of a web-administration panel and builder; some infostealers are offered with a web-panel management feature, enabling the attacker to access and manipulate logs from the administration panel.

Like Atomic Stealer, MacStealer is initially downloaded as a DMG installer file that contains the malware’s APP file. MacStealer and Atomic Stealer differ in the browsers they support and their method of collecting desktop files. MacStealer can only collect passwords, cookies, and credit- card information from the Firefox, Chrome, and Brave browsers by querying file directories associated with those browsers (such as \Login Data, \Cookies, login.json, cookies.sqlite). MacStealer can harvest popular file types associated with sensitive data, such as Microsoft Office files and archives. However, unlike Atomic Stealer, MacStealer is not limited to the Desktop and Documents folders. At the time of writing, MacStealer can extract files from the following file types: TXT, DOC, DOCX, PDF, XLS, XLSX, PPT, PPTX, JPG, PNG, CSV, BMP, MP3, ZIP, RAR, PY, and DB.

MacStealer can also extract the Keychain database. In samples we observed, this was accomplished through the native “security” command. The “security” utility is used for administering keychains, keys, certificates, and the security framework. The following command is used to display the default keychain, which is typically mapped to the login.keychain-db database.

security default-keychain 

MacStealer uses the native macOS osascript utility to masquerade as a legitimate system prompt, enabling it to gather a user’s password. The malware typically compresses and exfiltrates the collected data through its command-and-control (C2) infrastructure, often via Telegram channels and bots. In the samples we analyzed, collected data was placed within a directory matching the following convention.:

/var/folders/}//T//files/ 

This is followed by the exfiltration of data via a POST request to hxxp://mac.cracked23[.]site/uploadLog using a Python user-agent.

Lurking in the Dark: ShadowVault 

“ShadowVault” was discovered in June 2023 and has been advertised on prominent Russian-language cybercriminal forums for $500 per month. Its initially advertised capabilities include many of those featured in Atomic Stealer. After ShadowVault was first advertised, the initial advertiser of Atomic Stealer commented that the ShadowVault listing was a scam and had been copied from the “OSX” malware advertised previously. At the time of writing, we have observed no intelligence to corroborate that claim.  

ShadowVault’s developers offer a build signed with a legitimate Apple Developer signature for an additional fee. Using a valid signature enables threat actors to mimic legitimate software. It may also allow the malware to bypass detections by security mechanisms while giving the user more confidence to interact with, and execute, the binary. 

A Master of Obfuscation: Realst Stealer 

Discovered by researchers in July 2023, Realst is the latest macOS infostealer written in Rust. The malware is packaged as PKG and DMG files masquerading as blockchain games. Social-engineering methods are also used for distribution, with attackers contacting potential targets via social media to advertise the fake games.  

Like other macOS infostealers, Realst attempts to retrieve data from the Firefox, Chrome, Opera, Brave, and Vivaldi browsers. (As with many macOS infostealers, Safari is not targeted.) AppleScript spoofing techniques are also used to harvest the user’s password via a fake prompt. Observed Realst samples refer to macOS 14 Sonoma (still only in beta release), which indicates concentrated efforts in development to target future macOS versions. 

Figure 2: Functionality of MacOS Stealers image

Defending Against MacOS Infostealers 

macOS environments have been perceived as relatively resistant to threats that commonly plague other widely used operating systems. However, as the prevalence of macOS grows within organizations globally, threat actors have begun to see it as a valuable target. ReliaQuest dark-web monitoring has revealed an extensive network of macOS-focused buyers and developers. 

For example, a user of a high-profile cybercriminal forum offered $50,000 to a developer who could create a macOS stealer. They specified that it would need to also work as a conventional stealer targeting Windows and must be able to bypass Chromium alerts. We observed other evidence of interest in development to enable Gatekeeper checks to be bypassed and to enable Full Disk Access and other macOS security controls.   

ReliaQuest recommends taking the following steps to minimize the threat of MacOS infostealers: 

  • Restrict application downloads to only trusted sources, such as Apple’s App Store, and enforce the use of macOS Gatekeeper. 
  • Deploy Endpoint Detection and Response (EDR) software to ensure detection and prevention of malicious threats. 
  • Prevent users from accessing malicious websites by using appropriate web-filter policies or firewall rules. 
  • Use multifactor authentication wherever possible. 
  • Consistently provide user training to raise awareness of current social-engineering techniques or active campaigns that may target the organization. 
  • Regularly update the operating system and software in use (e.g., browsers, security appliances). 

At ReliaQuest, we understand the importance of staying one step ahead of the malicious threats that can impact your organization. That’s why our security operations platform, GreyMatter, uses advanced detection rules we’ve specifically designed to identify malware—including infostealers—and stop them in their tracks before the worst can happen. 

GreyMatter automates the high-time, low-brain activities of your security teams, leaving them free to focus on strategic improvements to your security posture that can help you better defend against malware.