A sophisticated new cross-platform information stealer known as ModStealer has emerged, targeting macOS users and demonstrating concerning capabilities to evade Apple’s built-in security mechanisms.
The malware represents the latest evolution in macOS-focused threats, which have seen a dramatic surge throughout 2024 and continue accelerating into the current year.
ModStealer follows established patterns seen in other macOS stealers but introduces unique persistence mechanisms that set it apart from predecessors like Atomic Stealer.
The malware primarily targets developers and cryptocurrency holders through social engineering campaigns involving fake job advertisements and recruitment opportunities, taking advantage of these groups’ valuable digital assets and frequent interaction with online development resources.
Initial reports from cybersecurity firm Mosyle indicate that ModStealer first appeared on VirusTotal approximately one month ago.
Moonlock analysts identified the malware’s cross-platform nature, enabling it to compromise macOS, Windows, and Linux systems simultaneously.
This versatility makes ModStealer particularly dangerous, as threat actors can deploy unified campaigns across multiple operating systems rather than maintaining separate malware variants for each platform.
The malware’s capabilities extend beyond typical data theft operations. ModStealer can infiltrate over 50 browser extensions across Chrome and Safari platforms, with Safari targeting being relatively uncommon among information stealers.
The malware extracts data from cryptocurrency wallet extensions, captures clipboard contents containing seed phrases and private keys, takes screenshots of visible user data, and harvests saved browser information including local storage databases, cookies, and stored credentials.
Advanced Persistence Through LaunchAgent Abuse
ModStealer’s most notable technical innovation lies in its persistence mechanism on macOS systems.
Rather than employing traditional persistence methods, the malware leverages Apple’s native launchctl utility to embed itself as a LaunchAgent within the system’s startup processes.
This approach allows ModStealer to maintain long-term, undetectable presence on compromised Mac devices by masquerading as legitimate system processes.
The malware creates hidden payload files such as “sysupdater.dat” to store its components while establishing persistence through macOS LaunchAgent configurations.
This technique effectively bypasses many detection systems that focus on monitoring unauthorized modifications to system files or registry entries.
By utilizing Apple’s own tools and frameworks, ModStealer presents itself as legitimate system activity, making detection significantly more challenging for both automated security solutions and manual analysis.
.webp)
Once established, ModStealer maintains communication with command-and-control servers to receive additional instructions, extract collected data, and potentially facilitate lateral movement within compromised networks.
This persistent connection enables threat actors to continuously harvest sensitive information and adapt their operations based on the specific environment of each victim system.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
