New macOS malware steals bank info, crypto wallets & much more

Malware illustration

A newly-spotted security threat called ShadowVault works in the background on macOS to access logins, banking details, and more personal data.

Macs have traditionally been less targeted by malware developers in part because of the security in macOS, and partly because it's presented a smaller target than Windows. It's still the case that Macs have fewer malware issues than PCs, but also it's being targeted by different types of security threats.

Now according to Guardz Cyber Intelligence Research (CIR), a new specific threat to macOS has been uncovered. CIR claims to have used "sophisticated covert operations" in order to identify ShadowVault while it was still being developed.

It's not clear whether ShadowVault has been seen in active use, nor how it is intended to be delivered once in the wild. Since it runs in the background on Macs, though, users presumably have to be tricked into downloading and running it.

ShdaowVault's technical specifications (source: CIR)

When discovered, ShadowVault was being offered for sale for $500 for one month. It claims to be able to extract "passwords, cookies, credit cards, wallets," and "all Chromium-based extensions."

How to protect yourself from ShadowVault

AppleInsider has a thorough guide to protecting Macs against malware, phishing and more. In short, users can prevent security threats by being wary of anything unexpected — and not following links or opening files unless certain they are genuine.

Many phishing attempts will be easily recognizable, but if in doubt, users should look for issues such as company names being spelt correctly in emails. Typing mistakes still seem to convince junk filters that the mail is from a real human being, but companies do not misspell their names.

They also don't include links to anywhere suspicious. While users should never click on a suspicious link, they can hover the mouse cursor over the link and see where it would really take them.

CIR says ShadowVault was specifically built to steal data from macOS devices. Describing it has having "potent capabilities," CIR also claims to have developed countermeasures for its clients.

Apple has not commented on ShadowVault.

Follow AppleInsider on Google News

6 Comments

GrannySmith99

said about 9 months ago

Many phishing attempts will be easily recognizable, but if in doubt, users should look for issues such as company names being spelt correctly in emails. Typing mistakes still seem to convince junk filters that the mail is from a real human being, but companies do not misspell their names.

Yeah, this can be very confusing! :D :p ;)

BiCC

said about 9 months ago

How do you steal a Blockchain wallet remotely - you need the eleven random passwords made randomly and the passcode you create - as for a physical wallet like Ledger it only has 250 bites so no possible physical room for malware. Plus the random words and so on... Blockchain is unhackable. I once read the odds are one trillion to the exponent one million.

appleinsideruser

said about 9 months ago

AppleInsider said:

While users should never click on a suspicious link, they can hover the mouse cursor over the link and see where it would really take them.

Except for websites that use JavaScript to rewrite a link destination onclick. Tricky blighters. Then you need to secondary click, copy link, paste (or often just hover again).

Marvin

said about 9 months ago

BiCC said:

How do you steal a Blockchain wallet remotely - you need the eleven random passwords made randomly and the passcode you create - as for a physical wallet like Ledger it only has 250 bites so no possible physical room for malware. Plus the random words and so on... Blockchain is unhackable. I once read the odds are one trillion to the exponent one million.

They steal credentials like private keys. There are a number of things they can do:

https://www.uptycs.com/blog/what-is-meduza-stealer-and-how-does-it-work
https://cointelegraph.com/news/hodlers-beware-new-malware-targets-metamask-and-40-other-crypto-wallets
https://www.techradar.com/news/google-removes-crypto-stealing-chrome-extensions-from-its-web-store

They can replace or modify a crypto browser extension to look like the official one and get you to enter the seed phrase.
They can also try to extract data from the extension, people don't need to input the seed phrase every time they use a browser crypto wallet so some extensions are storing authentication details and that can be stolen to access the wallet.
They can intercept wallet communication so the next time a transaction is made, it can send a different amount to a different destination.
They can compromise emails that are used to access online crypto exchanges, maybe some emails have QR codes.
They can put keyloggers in place to track any time a seed phrase is pasted somewhere.

davidw

said about 9 months ago

One of the surest way to know whether an email is from a company you have an account with is that that company will know your user login name, account number or name on the account and will address you in their email by one or two, of those. My CC company do not start their email with .... "Dear "CC name" account holder" or "Dear Customer" or by my email user name. They will always mention the last 4 digit of my CC. eBay addresses me by my eBay user name. ATT uses the last 4 digit of my mobile number. Amazon addresses me by my first name. Apple uses my first name and mention the last four of my account number. Netflix uses my first name.

If the email don't have any proof that they know who you are, you have no business clicking on any links in that email. Even if it's not a scam and just a company sending out advertising or promotional material.

One of the sure give away that it's a phishing scam is when the email addresses you by your email user name and even if your email user name is your name, it will all be in lower case and with no space between your first, (middle initial/name, if any) and last name.