New MacStealer malware steals iCloud Keychain data and passwords — how to stay safe

MacBook Pro 16-inch 2021 sitting on a patio table

Macs are currently under attack from a new info-stealing malware capable of exfiltrating sensitive data stored in iCloud Keychain including passwords for your online attacks.

As reported by The Hacker News, this new Mac malware has been dubbed MacStealer by researchers at the cybersecurity firm Uptycs who came across it while hunting for threats on the dark web.

While many of the best MacBooks are vulnerable, Uptycs notes in its report on the matter that Apple computers running macOS Catalina and later equipped with M1 and M2 chips are the most affected.

The MacStealer malware is still a work in progress but its creators have indicated on a hacking forum where they’ve been advertising it that they do want to add new features to the malware including the ability to capture data from Apple’s Safari browser as well as its Notes app.

Extracting sensitive data from infected Macs

A shadowy hand reaches for the word 'PASSWORD' displayed on a computer screen.

(Image credit: Shutterstock)

At the moment, MacStealer is designed to extract iCloud Keychain data, passwords and credit card information from a variety of browsers including Google Chrome, Mozilla Firefox and Brave. However, the malware can also harvest Microsoft Office files, images, archives and Python scripts from infected Macs.

Surprisingly, it’s still unknown how the cybercriminals distributing this malware are getting it onto vulnerable Macs. Still, we do know that it arrives as a DMG file (weed.dmg) and could be sent to unsuspecting users via phishing emails or spread on fake websites.

When launched, the MacStealer malware opens a fake password prompt for users trying to gain access to the System Settings app. Instead of granting access to the app, the malware harvests their credentials.

Just like other recent Windows malware families, MacStealer uses the encrypted messaging app Telegram as a means to send stolen data back to a command and control (C&C) server operated by the hackers distributing this malware.

How to protect your Mac from malware

macOS security

(Image credit: Shutterstock)

Although Macs were once thought to be safe from malware, those days have come and gone. As Apple’s computers have become more popular, they’ve become sought after by hackers and while still rare compared to Windows malware, malware targeting macOS has become much more prevalent.

For this reason, you want to make sure that your Mac is up to date and running the latest software. If you need help with this, check out our guide on how to update a Mac. While Apple’s Gatekeeper prevents malware from being launched and its Xprotect can help deal with a malware infection after the fact, you may still want some extra protection for your Apple computers. In this case, you might want to consider installing one of the best Mac antivirus software programs to run alongside Gatekeeper and Xprotect.

Since we don’t know exactly how MacStealer is being distributed at the moment, we all need to remain extra vigilant. As such, you want to avoid opening emails from unknown senders and downloading any attachments they may contain. Likewise, you shouldn’t click on any links without inspecting them first to see where they will take you.

As MacStealer is still in its early days, we’ll likely hear more about this new Mac malware, especially as its creators add new capabilities like stealing passwords and data from Safari and Apple’s Notes app.

More from Tom's Guide

Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.