Categories
BW Member Blog

A ‘Heads Up’ for Mac users —

New macOS malware steals sensitive info, including a user’s entire Keychain database

A new macOS malware—called MacStealer—that is capable of stealing various files, cryptocurrency wallets, and details stored in specific browsers like Firefox, Chrome, and Brave, was discovered by security researchers from Uptycs, a cybersecurity company specializing in cloud security. It can also extract the base64-encoded form of the database of Keychain, Apple’s password manager. Users of macOS Catalina (10.5) and versions dependent on Intel M1 and M2 are affected by this malware. –Jovi Umawing, Malwarebytes Labs.

This is a new, developing threat that will get more sophisticated, sneaky and persistent as time allows the black hats to refine its attack vector and performance profile.

Link to the article for more information —

https://www.malwarebytes.com/blog/news/2023/04/new-macos-malware-yoinks-a-trove-of-sensitive-information-including-a-users-entire-keychain-database?

13 replies on “A ‘Heads Up’ for Mac users —”

Thanks ACTS, I have a wife and two daughters who are Apple users. (Ugh, I tried and tried)
Email exploits? or Web clicks? I’ll go look at Malwarebytes, and Bleepingcomputer too.

Nope, that’s a different one. This one uses a macOS app to load itself via user interaction. It’s brand new in March and isn’t fully developed with all the features (read “features” as “tricks”) that it’s expected to have eventually. So far as I know it’s also not yet patched or covered by any OS or system level updates.

About all you can do is be very, very careful about what apps you load until a patch/detection is available.

I get all the CISA bulletins for pretty much everything from industrial control systems to MS, Google and Apple vulnerabilities and exploits several times a week. If I posted all those … Well BWC would probably accuse me of wasting their webspace. I just thought this one was new enough, and urgent enough to put up here on a blog post. I know there are Appleheads (like Steve Green et. al.) who use this site so maybe it can do some good here.

I recently had a ahem … ‘discussion’ with someone on this site regarding keeping their macOS updated. This little nasty critter eats unpatched Catalina for breakfast and you probably wouldn’t know you’ve been had until your identity is stolen and actively being criminalized.

OS updates are as vital or more so than antivirus/antimalware software.

I see a lot of really stupid stuff on here but that’s nothing special. One guy was actually complaining that MS “had to patch their OS every month or so …” — Stuff like that. Most home computer users don’t have a clue what goes into all of this and like to complain because they think it makes them look like they know something. Which generally they do not.

Anyone who doesn’t know that Patch Tuesday is Microsoft being responsible and responsive to a dynamic, variable, evolving threat environment probably doesn’t know enough about computers to bother talking to regarding anything IT related.

You’re too busy to do it, but someday we’all should pull up lawnchairs and learn what actions to not do to try to avoid these ….exploits/viruses/vulnerabilities. What we should do is update whenever, and not complain or mock. But I’m curious as to the mechanism of entry, do these goodies come in the old fashioned way, through clicking on an executable via email? Or are they getting in other ways. Like I said, you’re busy, but it’d be a fun couple of hours learning.

Yeah, like a lot of things I could write a book about the problems in the IT security realm but then … Some smartass would just say I talk too much. Then they’d ignore everything I said anyway. Because someone ‘they know and trust’ has told them not to worry about all this stuff and they’ll be fine if they just run some sort of free antivirus software and forget about it.

There are a plethora of vectors. You can get something bad on your device by ‘drive by’ just by visiting a website that’s been compromised. Almost all websites have been compromised to some degree at some point. It’s more than the security operatives at most companies with a web presence can keep up with. Then there’s the ‘old fashioned’ way to get infected by a phishing email or something similar.

The only way to keep ahead of such things is by doing all the updates for your operating system and all your software (like Adobe, they’re lousy with bugs anyway) as soon as those updates become available. Then run at least two compatible antimalware programs on top of (for Windows) the organic software provided by the OS, the firewall, a firewall on your WAN facing router, etc.

For example — I run Panda Cloud AV and MalwareBytes in addition to Windows Defender. Those three will play nice together. I keep my Windows firewall locked up tight. I run a commercial grade Ubiquiti ER-8 Edgerouter which has a built in firewall. I do nightly scans for malware.

I keep two root SSD drives. On one I make it as lean and mean as I can then I clone it to another. I air gap the clone in an external hot swap drive bay. I pull the drive out of contact so it’s a real air gap, then I turn off the power to that drive bay. If things go sideways I pull the plug and reboot going into the UEFI BIOS to boot from the now active cloned root drive. Then I copy that drive back to the main SSD while I work. When I get that done I reboot back onto the main drive again, and air gap the clone again.

Something went wrong last week and I couldn’t boot to the main drive. This saved my bacon and has done so many times.

On top of that I run a nightly incremental backup (one base and six increments so for all practical purposes a clean backup once a week with incremental backups the other six days) which gives me triple redundancy for my root C:\ drive. I can either go back to the cloned root drive or I can restore C:\ from backups that go back about a month.

The thing about backups is you never know if they’re good until you actually need them. If you restore a backup to test it and it’s bad, then you FUBAR the whole system. So you can’t rely solely on backups.

I’m not saying everyone needs to be as paranoid as I am but they sure as hell ought to religiously keep up with their updates and run multiple antimalware programs. There is no single antivirus software that will catch everything. Triple redundancy is the best policy.

Unless you’re willing to lose everything that is. If that’s the case you can take all the chances you like. I had a client that had a multimillion dollar installation. They wouldn’t listen to me and they got infected with ransomware. It cost them a LOT more to recover from that than it would have cost just to do things the way I told them to in the first place.

You can’t win in this situation. If you warn people they ignore you and when what you warned them about happens, they blame you.

I would guess that much of what you have stated is beyond the capabilities of most people. In your “real” life, do you have a simple schematic for what home users should have as a minimum on the house side of the ISP modem? HW & SW?
My wife thinks I am too paranoid, I don’t even like her to take her ipad to work as it leaves the safety of the house and is now susceptible to the wilderness.

You’re right to be paranoid. I personally know a guy that lost 3/4’s of a million dollars to scammers. The guy’s a miser and an urban hermit, not the brightest bulb on the tree, and reasoned that “Why should I pay for internet service when I can sit at a table in Starbucks and get it for free?” He got hacked, his passwords and accounts intercepted, then he got scammed by people who said they were U.S. Treasury Agents and needed his “help”. Both his money and the bogus agents are long gone.

This happened last year in San Francisco so yeah, no one is making any effort on his behalf to recover his money and catch the criminals. He begged me to help him and there’s nothing I can do from here. I told him to contact the FBI but I doubt they will be any help either. He’s a lifelong Democrat voter and a Leftist so I did point out to him that he can thank his political party for this lack of response on his behalf. He was all for “defund the police” because he thought he’d get more entitlement benefits. He had a three quarters of a million dollars and couldn’t see himself as anything but “poor”. He lived free in a house his parents own, wore clothes until they rotted off his body and bathed in a plastic bucket once a month whether he needed a bath or not just to ‘save water’. “Eccentric” is a gross understatement.

The whole thing is deliciously ironic.

Knowing what I know about this guy none of this surprises me. I don’t even like him but the mere thought of how he was robbed (much of which is due to his own stupidity and ignorance) makes me sick to my stomach just to think about. He scraped all those pennies, pinched each one until Lincoln screamed and now he’s flat broke. A lifetime (he’s in his 70’s so literally a whole lifetime) of avarice, frugality and doing without to amass as much cash as possible — All lost to the improper use of digital equipment and a refusal to take sound advice from people who know what they’re talking about …

Whenever someone tells me they’re not doing upgrades or running max layered security systems and “they’re good” I think of this guy. He thought he was ‘good’ too. Right up until all his money went bye-bye.

IF you are using a device outside your home on a WiFi LAN provided by others you should ALWAYS be on a VPN because once you leave your own network you have zero control over the environment. A VPN tunnel prevents ‘man in the middle’ attacks like the guy I don’t like was attacked with.

I don’t use a VPN on my phone because the cellular data is basically handled the same way a LAN system would work. Which is to say the phone company is the ISP and the phone works like it’s own local router. I do have security software on my phone anyway.That said, I do very little data work on my phone when I’m away from my wireless home network. Usually just Google Maps for navigating and other connections to known safe sites. Like my own camera system for instance, my weather station, RadarScope app, etc. I don’t surf the internet on my phone. Other than 2FA I don’t use my phone for banking or shopping or anything involving money or access to accounts. If I did, I’d VPN that connection too.

Inside my own perimeter I only use a VPN for certain specific situations where I want to conceal my IP address. Otherwise I let the security software and firewalls handle things.

I use Panda Cloud antivirus as my main AV software. It’s an obscure flavor of antivirus many people have probably never heard of. It’s great for keeping things you don’t want off your system, it’s not so great at removing them once they get on. I have backups and a cloned root drive if that becomes a problem. It’s very ‘light weight’ so it has a minimal impact on system performance. It comes in Windows, Mac, Android and Apple versions so one account can be used across the gamut of your devices. It has a very good free version that does most of what you might want this kind of thing to do. It plays nice with Windows Defender and my other anti-black hat software.

I run the full, paid version of MalwareBytes anti malware software. This includes browser protection, anti-ransomware, exploit protection and malware protection. I also run the MalwareBytes browser extension in each browser.

I run the “NoScript” extension on ALL my browsers. This permits me to select what javascript I want to allow to run in my browser(s). It’s a little fiddly but it prevents any possibility of a “drive by” attack via javascript, vbs, etc. Unless I allow that to run of course.

I run three separate ad blocking extensions on each browser. Drive by attacks are often loaded into the code in ads unbeknownst to the site operators. Sometimes even unbeknownst to the ad creators. All it takes is one person in the chain with a gambling debt or drug problem to inject something nasty. Or for personal reasons like a disgruntled employee.

Don’t forget, the vast majority of those assholes are Leftists …

I also run specific ad blockers for YouTube and Facebook. Though I can’t remember the last time I launched Facebook.

Once I’ve set permissions in NoScript and the ad blockers on a site then the sites work just fine while blocking most of the tracking scripts and all of any malicious scripts. (I don’t block anything at all here on this site, BWC doesn’t use anything malicious or questionable.)

I’m running an Ubiquiti ER-8 Edgerouter which is a commercial grade wired router. That router has a built in SPI (Stateful Packet Inspection) firewall and many other features I really like and want. Like packet capture for instance. I can look to see what’s connecting to things outside my perimeter and what those things are. It’s a commercial grade device so you have to learn its operating system and such to use it, the same as anything branded by Cisco. Cisco gear is also good but all this is beyond the average home user.

So other than having an SPI firewall I’m afraid I can’t give much for advice on home routers. Whatever you’re using, you should learn how it works and what settings are available. Don’t just plug in a router/gateway from your ISP and thereafter ignore it. The ISP sets those up to be as open as possible to limit support calls. All these things have a web interface of some sort. Find it, learn how to use it, change the access password from the default and make sure you don’t lose the user/password combination afterwards.

I always turn down the router/gateway offered by my ISP. Anything on my side of the DOCSIS modem belongs to and is controlled by me.

Ubiquiti makes home routers too but I don’t know much about those either.

I use Ooma (inside my firewall) for a telephone system in addition to my cell phone(s). Ooma allows me to block and reject pretty much anything I want to. I get all the bells and whistles including two lines for ~$120 a year. My AT&T business line that I had prior to adopting Ooma cost $64 a month for the same bells and whistles. I “own my own dial tone” and I can call anywhere in the U.S. or Canada for free at no additional charges and a 5000 minute a month cap which I have never reached. I almost never get telemarketing calls on my phones. When my phone rings, 99.9% of the time it’s someone I actually want to talk to.

If it’s not someone I want to talk to, I block them. I can block entire area codes (or area codes and exchange prefixes) so if someone calls from someplace I know I’m never going to be called from by someone I know, they’re blocked and so is their area code.

Some people don’t use a home phone anymore and rely solely on their cellular phones. This is a mistake in my view, you should never, ever give out your cellular number unless it is completely unavoidable. Ooma will redirect unanswered calls to my cell phone. I give people the number at my desk phone or if I really want to be a prick my Google Voice phone. If they sell those numbers it won’t do them any good because it won’t ring any of my phones anyway. If they’re not on a specific list of permitted numbers, it blocks them with a “this phone is not in service” message. If it’s important and they call back within 5 minutes it drops them straight to voicemail. Where I then block their number if it’s a nuisance call.

The main idea is to have full control over everything behind your modem on the LAN side. Then as you learn more and understand more about threats you can dial things in to protect yourself. Your ISP will NOT do this for you. ISPs could put SPI firewalls on their end of the connection but as a rule they never do.

I have all of my local wireless “wifi” supplied by meshed access points, none of it is on the router. I use TP-Link Omada commercial access points and control software.

I keep everything as up-to-date as possible. Including all OS and application software, the firmware on the router and the access points as well as the wifi access point controller software.

I never, ever let anyone who doesn’t live here access my main wifi. I have a guest wifi set up for that which is isolated from my main wifi system on it’s own VLAN subnet. When someone uses that guest system it takes them to a neat web page portal where they can sign in with the password I give them. That way whatever if anything is infecting them can’t infect me or mine.

By now it should be obvious that I have many, many layers of security set up on my own system. All of them have to fail for an attack to be successful. I rarely have a problem with attacks, can’t remember the last time that happened. My problems are almost always hardware failures of one sort or another. I have a cloned, air gapped root drive (C:\ drive) that I can boot from and backups that cover the past month to deal with that kind of thing.

If you have any specific questions this essay doesn’t answer, ask them. I’ll be happy to help if I can.

From what I remember of what I understood, Patch Tuesday is a concession to business IT departments who wanted a chance to test updates to make sure they didn’t break mission critical software. I remember the days when patches came out as soon as they were ready.
As I also understand it, the reason we get one big update now, starting with Windows 10, I think and then backported to 7 and 8, was because enough people were not installing all of the critical updates so now we get them in one single bundle.

All of that is true and it doesn’t change anything I said.

Patch Tuesday was implemented in an effort to consolidate the patching process and allow sysadmins time to test the patches in a virtual environment before releasing them into the production environment.

This was very handy and when I was a sysadmin for my clients I would do this in WSUS (Windows Server Update Services). WSUS allows sysadmins a fairly fine grained control of the update process in their locale.

Microsoft, hereafter “MS”, also releases patches “OOB” or “Out of Band”. Not to be confused with “OOB” or “Out of Box” … MS tends to trip over its own acronyms a lot.

When the powers that be at MS decide it’s urgent enough to be a serious global threat they will push an OOB update at the soonest possible instance regardless of Patch Tuesday.

On my own personal machines I run Windows Update every day at 02:00 before the backup system kicks in. The system then incrementally backs up the updated configuration, runs multiple malware scans and reboots itself. That way everything is fresh and ready to go by the time I sit down at my desk with a cup of coffee.

The person I was referring to above said something to the effect of “How can you trust a company that has to patch its software every month?” His meaning was that the software was so poorly done that it had to be constantly and regularly fixed. Thus betraying his complete ignorance of how this stuff works.

I’m happy as hell that MS is responsible and diligent enough to keep up on the threat environment and release free patches that eliminate weaknesses in their code, harden the code to attack, plug exploits when they’re discovered and fix things that did not work as well as they were expected to while streamlining performance issues that crop up.

Considering the vast array of differences in individual machines, the software they run, the hardware they use and all the possible combinations and permutations working in real life around the world this is a herculean task. Which MS performs for no additional cost beyond the OS licence fee.

Of course, if you are as ignorant as the person I’m citing then you’d fail to appreciate that and say dickheaded things thereby. Dickheaded things you think show how savvy you are while leaving no doubt as to the dickheadedness you are demonstrating.

Microsoft could write much better, much more robust, much more secure code for its flagship Windows operating system. Then it would cost between $20,000 – $100,000 a copy and no one would use it because it is too expensive. I don’t see MS doing that just to nullify the stupid derisions of stupid people.

There is software like that in the world, it’s used in industrial control and management systems. Like the one Siemens sells. The Siemens system Stuxnet attacked in Iran.

There is no such thing as a completely reliable, bullet proof, totally secure software/hardware combination. There are only things on a sliding scale of less to more of those desirable features. It took the resources of a State Actor to write and deliver Stuxnet so that wasn’t a simple thing but it got done even so.

In a class many years ago an instructor told me that the only way to make a computer 100% secure was to never let it have electricity. I’ve seen nothing since that would indicate that has changed.

Yeah, and I’ve messed up computers about every way that it’s possible to do so. Breaking them is how I initially learned to fix them.

There was a virus called “Chernobyl” years and years ago that would actually cause your power supply to overvolt the 12V feed to a hard drive or drives. Got that one, destroyed a hard drive with no backup, had to start all over from scratch. That was back in the day when a 56k modem was considered blazing fast and it took all night to download a couple megabytes of data.

There is also a system, called “Van Eck Phreaking” and similar means, that can pick up the stray, unintentional electronic emissions from a non-networked computer. This can display what’s on the non-networked computer screen and intercept stray electrical emanations from keyboards, mice and printers. From a considerable distance, with $15 in hardware and materials plus a television set.

This is what the standards set forth in the U.S. Government’s “Tempest” and “EMSEC” specs attempt to address. Most of that’s still classified but you can get the gist of it on the internet if you’re interested.

So just not having a computer networked is no guarantee of security. Even a stand-alone, unconnected computer can be spied upon fairly easily and cheaply.

I maintain a security perimeter around my home and office with cameras and perimeter alarms. It all looks fairly innocuous to the neighbors. I do a sweep for electrical anomalies a couple times a year, or more if I feel bored or ambitions. Which I am almost never either one of those things.

I’ve never found anything, yet. But just because you’re paranoid doesn’t mean they’re not out to get you. 😉

When people ask me why there are so many patches for Windows I usually say its because its such a large spaghetti mess of separate programs that have to work together and the whole thing is too large for anyone to manage. Plus the patches have added features and other new stuff.
I’d heard the only way to secure a computer was encasing it in concrete. A bit more extreme than your example.
I can understand the need to test code before implementing it, but some might not know the reason and wonder why they have to wait until the patch is released each month. I’d offer that people did not immediately install the patches before so there isn’t much change, and they complained about having to install and reboot all of the time back then anyway. Since they’re still complaining that hasn’t changed either.
I am happy Microsoft does not charge for service packs or their annual updates but suspect that’s because they’ve been tracking behavior and selling it to make money that way instead. Windows 10 wasn’t free from the start, not really. With Win 11 free as well, I suspect that’s the new model. I think Apple charges $100 or so for theirs?

Yeah, this has almost nothing to do with a “spaghetti mess”. It’s all about security updates. Today happens to be Patch Tuesday so I went and looked, which I always do, to see what’s being released.

There is one zero day patch and 97 security/vulnerability patches. There are no non-security related code patches to fix non-security related code bugs this month.

This is a typical Patch Tuesday. The problem isn’t one of scope regarding “seperate programs that have to work together” it’s a matter of finding security vulnerabilities after the code is written, released and goes live in the wild.

Patch Tuesday and OOB patches are heavily preponderant in security patches with the occasional code bug patch sprinkled in. In this case OOB stands for “Out of Band” not the OOB which stands for “Out of Box” … Microsoft trips over it’s own acronyms all the time.

People like the nitwit I cited previously who whine or act like they ‘know what’s going on’ are Class A nincompoops and can be safely ignored and/or ridiculed for fun and entertainment.

The “free” bit is a different matter. All modern OS’s have phone-home telemetry operating by default unless you turn that off, which I always do. ALL of them, iOS, macOS, Windows, Linux, Android, Google Chrome OS etc. This greatly speeds up the RTM (Release To Market) of a new OS because it cuts down by orders of magnitude on the unimaginable number of configurations that OS will have test and deal with. They just call close enough good enough and RTM. Which makes everyone in the world a beta tester.

To be fair, they do publish pre-RTM versions for beta testing too but those don’t even come close as far as finding all possible bugs goes.

This is actually a much more efficient way to do things than trying to cover all the myriad configurations possible during pre-RTM testing. Efficient but aggravating. Your compensation for the aggravation is free updates.

I don’t do the beta testing and turn all that crap off. I get free updates from other people’s aggravation. I never load a green OS. Prior to W10 I always waited for at least SP1. I waited for several “creators upgrades” or “feature upgrades” to be released before I loaded W10. Those are just Microsoft’s new names for Service Packs.

W10 and W11 also have built in ad systems that will run unless you know how to turn them off, or destroy them. Which is another thing I always do.

I also never use their Microsoft Login that they want you to create supposedly for your own benefit when you’re loading up an OS for the first time. I always create local users. They can’t track locals nearly as easily as they can when you willingly walk blindly into their spiderweb.

Plus all the bloatware. They get a cut on any money that bloatware makes and charge a fee to include it in the OS release.

I’m not saying Microsoft is angelic or altruistic. They’re absolute bastards if you ask me. I’m just saying that if people are going to bitch they should know what they’re bitching about. Because if they don’t then it’s “ridicule for fun and entertainment” time.

Leave a Reply