Seems that infostealer developers are paying more and more attention to the macOS user base (or rather victim base). In the recent past, few strains of infostealer malware targeting macOS platform were found operating and there are some deeper analyses of the malware by security vendors.

Recently, while browsing the infamous XSS forum, I stumbled upon a sales post of yet another stealer targeting macOS. The post was made on 9th February 2024 by a user named BeCthulhu, who advertises sales of Mac OS Stealer. According to the post, this malware has capabilities of stealing:

• Session cookies from Chrome, Firefox, and Brave browsers.
• Passwords from Chrome, Firefox and Brave browsers.
• Notes.
• Files .txt, .rtf, .docx, .jpg.
• Keychains.
• Over 10 desktop cryptocurrency wallets.
• Over 90 web cryptocurrency wallets.
• Passwords from MetaMask.
• Steam, Telegram, FileZilla.

The price is $500/month for the first 5 buyers. After that the price will be $1000/month. Sadly, the user hasn’t elaborated more on the characteristics of the malware, such the size of the build or in which language it is written. All software has some kind of terms & conditions of the usage, and malware is not an exception. In this case, the terms are following (loosely translated from Russian by me):

• We are not selling malware, this product is created for educational purposes.
• We are not liable for the use of the product to conduct illegal activities.
• No money-back after the purchase, unless the product is not operational.
• Our product has geo-block on the Commonwealth of Independent States. Moreover, operating the product to target victims in Russia or even discussion of it in the client’s chat will lead to the termination of service.
• By buying our product, you automatically agree to our terms.