A sophisticated new malware known as “MioLab MacOS” is being actively advertised on underground cybercrime forums, posing a significant threat to macOS users. This resident infostealer, marketed as a Malware-as-a-Service (MaaS), provides threat actors with a web-based control panel and customizable features, aiming to ease the compromise of Apple devices and steal sensitive user information.
This emerging threat, identified by KrakenLabs researchers, is presented as a subscription-based service, lowering the barrier to entry for cybercriminals. The advertisements claim that MioLab MacOS can extract a wide range of personal and financial data, including credentials from browsers, password managers, cryptocurrency wallets, and Apple’s native Keychain system, making it a potent tool for digital asset theft and account hijacking.
MioLab MacOS: A Comprehensive Infostealer for macOS
The threat actors behind MioLab MacOS are leveraging a business-oriented approach to malware distribution, offering it as a monthly subscription. The pricing structure includes a $750 USD monthly fee, with an additional $500 USD one-time payment for specialized modules designed to target Ledger and Trezor hardware wallets. Percentage-based deals are also reportedly available for high-volume attackers, indicating a well-established criminal enterprise.
MioLab MacOS boasts extensive capabilities for data exfiltration. It targets over 200 cryptocurrency wallet extensions, including popular options like MetaMask and Trust Wallet, and more than 15 password management applications such as LastPass. This broad compatibility significantly increases the potential impact on users who rely on these tools for managing their digital identities and assets.
Beyond financial information, the malware is designed to harvest web browsing data. It can steal cookies, passwords, browsing history, and autofill data from both Chromium and Gecko-based browsers commonly used on macOS. Furthermore, it can capture Google authentication tokens, allowing attackers to bypass two-factor authentication mechanisms and gain persistent access to user accounts, a critical vulnerability for online security.
The capabilities of MioLab MacOS extend to system profiling, enabling threat actors to gather detailed information about the compromised devices. It can also extract content from Apple Notes, potentially revealing sensitive personal and business-related details that could be exploited for further attacks or blackmail.
A notable feature of MioLab MacOS is its integrated FileGrabber functionality. This component allows attackers to collect files based on custom filtering rules, with a specific focus on cold wallet applications. It can search for and extract files with extensions such as .dat, .key, and .keys from over 50 different cold wallet applications, further expanding its reach into the cryptocurrency user base.
Data Exfiltration and Command Infrastructure
The exfiltration of stolen data from infected macOS systems is managed through integration with Telegram bots. This allows threat actors to receive notifications and manage compromised information through the encrypted messaging platform, ensuring a relatively secure channel for receiving sensitive data. This method of data transmission is becoming increasingly common among cybercriminals looking to maintain operational security.
Supporting this exfiltration method is a centralized web-based control panel. This panel provides threat actors with robust log management capabilities and real-time monitoring of compromised devices. This infrastructure enables operators to efficiently organize credentials, financial data, and personal information, facilitating targeted exploitation and analysis of the collected data across multiple victims simultaneously.
The combined use of Telegram for data exfiltration and a web-based administration panel creates a sophisticated and reliable command and control system. This infrastructure is crucial for attackers to maintain control over their botnet, manage their operations, and minimize the risk of detection by cybersecurity professionals as they continue to develop and distribute advanced malware like MioLab MacOS.
The emergence of MioLab MacOS highlights the evolving landscape of macOS malware, with attackers increasingly focusing on sophisticated infostealers that operate under a Malware-as-a-Service model. The continuous development and adaptation of such tools pose an ongoing challenge for cybersecurity defenses, emphasizing the need for vigilance and robust security practices among macOS users, particularly those handling sensitive financial data.