Description
This report analyzes a new macOS stealer malware that leverages SwiftUI for password prompts and the OpenDirectory API for verifying captured passwords. It utilizes APIs to evade detection and carries out malicious operations in distinct stages, first executing a Swift-based dropper that displays a fake password prompt to trick users, verifies credentials using the OpenDirectory API, and then downloads and executes malicious scripts from a command-and-control server. The analysis delves into the dropper's functionality, uncovering novel techniques employed by the malware authors.
Date
| Published | Created | Modified |
|---|---|---|
| Aug. 9, 2024, 11:26 a.m. | Aug. 9, 2024, 11:26 a.m. | Aug. 9, 2024, 12:09 p.m. |
Indicators
https://cryptomac.dev/download/grabber.zip
Attack Patterns
CryptoTrade
T1558.001
T1548.001
T1055.001
T1059.005
T1497.001
T1059.001
T1113
T1071.001
T1105
T1027