SecureMac, Inc.

MacStealer Mac malware: a new threat for macOS

April 19, 2023

MacStealer Mac malware is a new macOS malware variant that uses the Telegram chat app for command and control.

MacStealer Mac malware: a new threat for macOS

MacStealer is a recently discovered macOS malware variant. In this post, we’ll tell you what MacStealer is, how it works, and how to stay safe.

What is MacStealer Mac malware?

MacStealer was discovered by security researchers at Uptycs, a cloud security analytics firm. The researchers provided a technical analysis of the malware in their recent blog post—well worth reading for the more technically inclined! For the “highlights only” version, here are four key points to remember about MacStealer:

  • The impact of MacStealer is potentially high because it can steal passwords and financial information, Keychain data, and several different file types. 
  • MacStealer targets all modern versions of macOS and the Mac. The researchers say it affects macOS versions from macOS 10 (Catalina) to macOS 13 (Ventura) and impacts both Intel as well as M1 and M2 Macs. 
  • The malware authors are selling versions of MacStealer on hacker forums for as little as $100, meaning there is a low barrier to entry for would-be threat actors.
  • The bad guys are using malicious .DMG files to spread MacStealer. If a user runs the .DMG, they are shown a fake password prompt. If they then enter their password, it’s game over.

Interestingly, MacStealer uses the Telegram chat app—a messaging application like Signal or WhatsApp—for command and control (C2), sending stolen data to the cybercriminals via the app. According to Shilpesh Trivedi, Senior Security Researcher at Uptycs, “The reason Telegram is being used is to bypass detection by security products, in the sense of data exfiltration and command and control.”

How to defend against Mac malware threats like MacStealer

Here are some recommendations to defend against macOS threats like MacStealer:

Follow best practices for security

On macOS, the best defenses are sometimes the most basic ones. For example, the researchers who discovered MacStealer suggest regular system updates for your Mac—and we agree that this is excellent advice. In terms of the best way to go about this, we recommend automating your updates. Patches are highly reliable these days, so there’s no practical reason to be performing updates manually. Turn on automatic updates today to ensure that you never miss a patch!

Practice safe downloads

Only download apps from the App Store or from the website of a trusted third-party developer. Not sure about an app? Do some critical thinking about it in order to assess risk. Shilpesh recommends asking “W-questions” to learn more about an app: 

Who is the author of the app—and is it signed by a valid author? What is the application—and what impact will it have on my system after installation? When was the app uploaded to the App Store? Does it have many users? Where am I downloading the application from? Is that really a legitimate source? You can find a lot of answers by asking yourself these W-questions.

Learn more about Mac security

Familiarize yourself with Mac Trojan horse malware behavior to have a better chance of spotting malicious apps in the wild. Learn how to use checksums to verify third-party app downloads on macOS. Keep up to speed with the latest developments in Mac security by following a podcast like The Checklist.

Use a reliable malware detection solution

Apple’s built-in malware defenses are better than in the past—but are still relatively thin. Run a reputable and well-supported macOS malware detection solution on your Mac. If a new type of malware does make its way onto your system, a robust macOS anti-malware tool can help to protect you. There are several good solutions on the market; we recommend that people try a few options and use the one they will be most comfortable working with long-term. SecureMac’s own MacScan 3 app has already been updated with malware definitions that let you detect MacStealer malware and remove it with a click.

Get the latest security news and deals