InfoStealer Uses SwiftUI, OpenDirectory API to Capture Passwords

Aug. 9, 2024, 12:09 p.m.

Description

This report analyzes a new macOS stealer malware that leverages SwiftUI for password prompts and the OpenDirectory API for verifying captured passwords. It utilizes APIs to evade detection and carries out malicious operations in distinct stages, first executing a Swift-based dropper that displays a fake password prompt to trick users, verifies credentials using the OpenDirectory API, and then downloads and executes malicious scripts from a command-and-control server. The analysis delves into the dropper's functionality, uncovering novel techniques employed by the malware authors.

External References

https://www.kandji.io/blog/infostealer-swiftui-opendirectory-api-capture-verify-passwords
https://otx.alienvault.com/pulse/66b5fcde122c57bd9724b52c
Tags
infostealer
macos
dropper
2024-08-09
swiftui
cryptotrade

Date

  • Created: Aug. 9, 2024, 11:26 a.m.
  • Published: Aug. 9, 2024, 11:26 a.m.
  • Modified: Aug. 9, 2024, 12:09 p.m.

Indicators

  • https://cryptomac.dev/download/grabber.zip
Download all indicators here!

Attack Patterns

  • CryptoTrade
  • T1558.001
  • T1548.001
  • T1055.001
  • T1059.005
  • T1497.001
  • T1059.001
  • T1113
  • T1071.001
  • T1105
  • T1027