The new Mac Trojan virus is a formidable threat to the cryptocurrency community, given its ability to steal the private keys to crypto wallets within a mere ten seconds. The malware tricks users into downloading a fraudulent DMG package and securing administrative permissions, thereby bypassing Apple’s stringent security reviews and gaining access to sensitive files like wallet seed phrases and account credentials.
Although Apple has a strong reputation for robust security measures and a rigorous app review process, this Trojan uses a common phishing method to log in. The attacker misleads users into thinking that they are installing a legitimate software, when it is, in fact, malware. While similar threats exist for Windows systems, this episode serves as a stark reminder that no platform is entirely invulnerable.
To execute its operations, the malware needs the user’s administrator password, usually identical to the Mac’s lock screen password. Upon entering this password, the malware obtains system-level permissions, enabling it to alter configurations and access protected folders.
Malware often deceives users with misleading prompts such as “Enter your unlock password to install.” For those unacquainted with macOS security, this step can be easily overlooked, facilitating the Trojan’s system infiltration.
The Trojan’s speed is particularly alarming. In a matter of seconds after receiving permission, the malware can scan and load sensitive files, including browser cookies, autofill data, saved passwords, and locally stored encrypted wallet seed phrases from apps like MetaMask. In some instances, passwords are cracked locally, while others are shipped to a hacker’s server for further decryption. Even passwords stored in iCloud are susceptible to attack.
According to SlowMist researcher @evilcos, the malware typically targets:
1. Extracting and loading wallet seed phrases: Hackers can decrypt these locally or crack them remotely. Users may not realize the breach until their assets have disappeared days or weeks later. If a wallet has a low balance, hackers might wait until it reaches a higher value before attacking.
2. Stealing account permissions from browser cookies: This enables hackers to hijack accounts on platforms like X or exchanges to send harmful messages or transfer funds.
3. Abusing communication apps like Telegram and Discord: This facilitates the dissemination of malicious messages to other users.
To safeguard against this Trojan, users should exercise caution when asked to install software masked as an application or game related to a project, as these could be Trojan scams in disguise. If users habitually download third-party software without discretion, or lack experience in identifying malware, they should refrain from using that computer for crypto-related activities. At the very least, antivirus software should be installed.
Users should also bear in mind that even third-party software initially deemed safe could be compromised in future updates or new versions.
