A novel macOS infostealer malware, designated as Mac.c, has emerged as a formidable contender in the underground malware-as-a-service (MaaS) ecosystem.
Developed openly by a threat actor operating under the pseudonym “mentalpositive,” Mac.c represents a streamlined derivative of the notorious Atomic MacOS Stealer (AMOS), optimized for rapid data exfiltration with minimal footprint.
This malware leverages native macOS utilities, such as AppleScript and system APIs, to conduct stealthy operations that mimic legitimate processes, thereby evading traditional endpoint detection and response (EDR) mechanisms.
By minimizing reliance on external dependencies, Mac.c enhances its evasion capabilities, allowing it to infiltrate systems through trojanized installers disguised as benign applications, including cracks for popular software like Adobe products.
Threat in macOS Infostealer Landscape
The development trajectory of Mac.c, as tracked by Moonlock Lab across dark web forums, reveals an unusually transparent approach from mentalpositive, who publicly shared code snippets, updates, and feature enhancements over several months.
This strategy appears designed to cultivate a user base and establish credibility in the niche macOS MaaS market.
Key advancements include binary size optimization to reduce detectable artifacts during static analysis, integration of a remote file grabber via an administrative control panel, expanded browser compatibility, and a specialized module for phishing Trezor cryptocurrency wallet seed phrases.
Furthermore, Mac.c incorporates dynamic build generation to circumvent Apple’s XProtect antivirus signatures, ensuring each instance is uniquely obfuscated.
Moonlock Lab’s code analysis highlights verbatim similarities with AMOS, suggesting potential code reuse or collaboration, though mentalpositive has expressed intentions for “fair business” practices to avoid direct confrontations with established players like AMOS developers.
Functionally, Mac.c initiates its attack chain via phishing vectors, deploying a primary payload that escalates to a secondary stage exploiting AppleScript for credential harvesting.
It targets iCloud Keychain entries, browser-stored passwords from Chrome, Edge, Brave, and Yandex, cryptocurrency wallet data from extensions like MetaMask, Phantom, and Binance, as well as system metadata and files from predefined directories.
A particularly insidious tactic involves fabricating system prompts, such as impersonating the game “Innocent Witches” to solicit user passwords, which are then stored in plaintext for subsequent unauthorized access.
Data exfiltration occurs via staged communications to attacker-controlled servers, focusing heavily on cryptocurrency artifacts from wallets including Electrum, Exodus, Coinomi, Atomic, Monero, Wasabi, and Ledger Live.
This emphasis underscores Mac.c’s primary targeting of cryptocurrency enthusiasts, enabling swift theft of digital assets like NFTs and stablecoins without immediate user awareness.
Pricing and Market Impact
Priced at a subscription rate of $1,500 per month, with an additional $1,000 one-time fee for the Trezor phishing module, Mac.c undercuts AMOS’s $3,000 monthly cost, democratizing access to sophisticated infostealers for less resourced threat actors.
Moonlock Lab confirms Mac.c’s operational efficacy, having detected live samples among users of their CleanMyMac software under filenames like Installer.dmg and Installer descrakeador adobe.dmg.
While these detections prevented breaches, they indicate active dissemination campaigns, likely via malvertising and phishing.
Compared to AMOS, Mac.c offers fewer overall capabilities, supporting a narrower range of wallets and extensions, yet its speed-oriented design and cost efficiency have garnered popularity among traffickers actors specializing in malware distribution.
This emergence could disrupt the macOS infostealer hierarchy, potentially sparking rivalries, though mentalpositive’s overtures toward amicable relations with peers suggest an effort to coexist.
Moonlock Lab’s findings emphasize the need for enhanced behavioral analytics in macOS security tools to counter such evasive threats, as reliance on signature-based detection proves insufficient.
For macOS users, vigilance against unsolicited downloads and prompt verification of system dialogs remains critical, particularly for those managing cryptocurrency assets.
As the dark web MaaS market evolves, Mac.c exemplifies how open development and aggressive pricing can accelerate the proliferation of tailored malware, posing escalating risks to endpoint security in Apple ecosystems.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
