A newly identified macOS-based information stealer, known as Mac.c, has recently appeared on darknet forums, offering rapid data exfiltration capabilities for a subscription fee of $1,500 per month. Developed by the threat actor mentalpositive, Mac.c is marketed as a streamlined alternative to the established AMOS stealer, focusing on extracting credentials, cryptocurrency wallets, and system metadata with a minimal footprint.
Technical Overview and Distribution
Mac.c is designed to leverage native macOS tools and APIs to conceal its activities, posing a significant threat to both enterprise and individual users. Early samples indicate that the malware utilizes built-in system utilities to minimize external dependencies and reduce its forensic footprint. This approach not only enhances stealth but also circumvents many traditional endpoint defenses.
The malware’s infection process typically begins with phishing campaigns delivered via email or malicious advertising (malvertising), enticing users to download what appears to be legitimate macOS installer packages. Upon execution, Mac.c establishes persistence by creating a launch agent in the ~/Library/LaunchAgents directory, ensuring it remains active across system reboots.
Persistence Mechanism
To maintain persistence, Mac.c writes a property list (plist) file with the following configuration:
“`xml
This configuration ensures that the malware’s script is executed upon system startup, allowing it to continuously operate without user intervention.
Data Exfiltration Techniques
Once active, Mac.c employs AppleScript to extract sensitive information from the system’s Keychain and browser-stored credentials. It systematically targets a predefined list of browsers, including Chrome, Edge, Brave, and Yandex, to harvest stored passwords and other confidential data. The collected information is then compressed and transmitted over encrypted HTTPS channels to servers controlled by the attacker.
Market Position and Appeal
In its promotional materials, the developer mentalpositive highlights Mac.c’s small binary size, advanced evasion techniques, and a user-friendly control panel for operators. This control panel enables users to generate unique builds, monitor infections, and manage campaigns through a web interface. While Mac.c shares a modular design similar to AMOS, it omits some of AMOS’s more advanced features, such as extensive wallet targeting and automated keylogger integration. This streamlined approach results in a faster, more efficient stealer that appeals to less sophisticated cybercriminals entering the macOS malware market.
Current Impact and Detection
Initial reports suggest that Mac.c is already active in the wild. Telemetry data from security tools like CleanMyMac have detected multiple variants of the malware, including files named Installer.dmg, Installer(1).dmg, and Installer descrakeador adobe.dmg—the latter masquerading as a cracked Adobe installer. Although security tools have intercepted these variants, preventing full breaches, the frequency of encounters indicates that Mac.c is in an active deployment phase and is gaining traction among threat actors.
Recommendations for Mitigation
To protect against threats like Mac.c, users are advised to:
– Download Software from Trusted Sources: Only obtain applications from the official Apple App Store or verified developers to reduce the risk of downloading malicious software.
– Utilize Reputable Antivirus Tools: Employ security solutions that offer real-time protection and are specifically designed for macOS environments.
– Maintain Strong, Unique Passwords: Use complex passwords and avoid reusing them across different accounts.
– Enable Biometric Security Features: Utilize features like Touch ID or Face ID to add an extra layer of security.
– Exercise Caution with Email Attachments and Links: Avoid opening attachments or clicking on links from unknown or untrusted sources.
– Keep Systems Updated: Regularly update macOS and all installed applications to ensure the latest security patches are applied.
By adhering to these best practices, users can significantly reduce the risk of infection from Mac.c and similar macOS-targeted malware.
