Rising Threat: macOS Malware Combines Stolen Data for Cryptocurrency Theft
In a notable development in cybersecurity, a new macOS-focused information stealer has emerged, posing a serious threat to users of the platform. This malware cleverly integrates stolen wallet databases with credentials obtained from the Apple Keychain, various web browsers, and Apple Notes to conduct offline cryptocurrency theft attempts. Detection of this sophisticated malware has been attributed to the MistEye security monitoring system, highlighting its broader intention of data accumulation rather than targeting specific victims.
The malware’s data collection capabilities are extensive. It primarily focuses on macOS Keychain files but also includes sensitive information from Safari and Chromium browser data, Telegram Desktop sessions, Apple Notes, and local data from widely-used wallet applications such as Electrum, Exodus, Atomic, Wasabi, Monero, Bitcoin Core, Ledger Live, and Trezor Suite. This variety of targeted data reveals the extensive reach of the threat and underscores the growing vulnerabilities associated with cryptocurrency storage amid the proliferation of such attacks.
A significant concern lies in the fact that while a copied wallet database is not immediately readable due to local encryption measures employed by most wallet applications, the malware is cleverly designed to acquire potential unlocking materials. This creates a precarious offline attack chain wherein attackers can methodically test stolen passwords against exfiltrated wallet data without even needing to interact with the victim’s Mac.
A study conducted by SlowMist confirmed the effectiveness of this malware using Atomic Wallet data. The researchers found that the wallet’s LevelDB storage is secured with AES-256-CBC encryption, which necessitates the user’s wallet password for decryption of sensitive contents. During their analysis, they managed to restore stolen wallet data in a controlled, isolated environment and tested various candidate passwords acquired from the Keychain and browser password stores. Remarkably, one of the candidate passwords succeeded in unlocking data that provides control over wallet assets.
This method significantly sidesteps the usual limitations associated with online password guessing, as attackers can now possess both an encrypted wallet database and a variety of likely passwords. Such a capability allows them to perform decryption attempts at their leisure, thereby heightening the risk for victims who may believe they are protected.
Compounding the risks, merely reinstalling a wallet application or changing its password will not safeguard assets if a recovery phrase or private key has already been extracted during the malware attack.
Additionally, the malware employs a deceitful tactic by utilizing a fake administrative prompt masquerading as a “Google API Connector” update, aimed at capturing the victim’s macOS password. This added layer of sophistication enables the malware to validate submitted credentials using the macOS dscl authentication utility, a method that assists attackers in differentiating between a legitimate login password and random entries.
As detailed in SlowMist’s recent report, the malware also strives to retrieve Chrome Safe Storage secrets from the macOS Keychain, potentially enabling access to users’ browser-stored logins and cookies.
The Telegram Threat
A separate yet connected risk has emerged for users of Telegram. The information stealer is capable of copying the Telegram Desktop tdata directory, which includes files associated with local encryption keys and the authenticated session state. The implications of such an action were demonstrated in SlowMist’s laboratory tests, where restoring these files on a compatible Mac immediately retrieved the victim’s Telegram account session. This process did not require any phone number, SMS code, or Telegram two-step verification password, illustrating the ease with which an attacker can exploit this vulnerability.
This type of session reuse does not involve circumventing Telegram’s two-factor authentication but instead allows attackers to inherit an already-authorized local session, skillfully bypassing the conventional login requirements entirely. Moreover, SlowMist identified that these stolen tdata artifacts could potentially be transformed into programmable Telegram API sessions, enabling intruders to access chats and perform various message operations.
For users of Ledger Live and Trezor Suite, the malware presents a more direct phishing route. It is designed to eliminate legitimate wallet applications and replace them with fraudulent copies bearing the same names and icons. Investigations into this deceptive mechanism revealed that the counterfeit packages function as WebView loaders, which connect to websites controlled by attackers rather than genuine wallet software. These sites may request sensitive information such as recovery phrases, PINs, or passphrases while masquerading as trusted desktop applications.
The ongoing campaign exemplifies a disturbing trend whereby information stealers can exploit the intricate relationships between user credentials, local encrypted stores, established sessions, and the inherent trust users place in certain applications. Although a stolen wallet database may be safeguarded, when coupled with secrets acquired from the Keychain and reused passwords, it transforms into a significantly vulnerable target ripe for offline decryption.
Closing Remarks
This escalating threat underscores the urgent need for macOS users to adopt robust security measures to protect their digital assets. With the evolving nature of cybersecurity attacks, remaining vigilant and proactive is more crucial than ever to mitigate risks linked to information theft and unauthorized cryptocurrency access. Understanding these vulnerabilities and implementing best practices can make a substantial difference in safeguarding personal data and assets.

