New macOS malware steals info, including a user's entire Keychain database

This malware gets onto systems 100% through social engineering. It lures users to download the software, run it, ignore the OS warning that the code isn’t signed, and then enter their password.<p>So, what should Apple do in response to such malware? Make it impossible for user code to read the entire keychain, even when running as admin? Containerize macOS more, making it impossible for user programs to access files written by other programs, in the way things work on iOS? Ignore it because, at some point, security becomes the user’s responsibility?<p>If tools like these get popular, I can see them getting blamed whatever they do or don’t do.

&gt; MacStealer being an unsigned DMG file is also a barrier for anyone, especially beginners, attempting to run the program on a modern mac, said Malwarebytes&#x27; Reed. &quot;Its attempt at phishing for login passwords is not very convincing and would probably only fool a novice user. But such a user is exactly the type who would have trouble opening it.&quot;<p>Given the above and the default macOS security configuration, you really have to work your way to get this malware running.

Looks like an ad for malwarebytes. Genuine question: how do we know they are NOT in the business of writing the malware themselves

I am surprised that this is NEW. I mean, like nobody ever created a stupid program asking the user for the system password and tried to collect sensitive data based on it?<p>OSX Ventura has several guards already against it:<p>- prevent execution of software not downloaded from app store and not from an identified developer (not digitally signed basically). You as a user have to explicitly go to your security settings and enable the app, and then reopen it.<p>- ask explicitly for permissions to give to an app (e.g., X is asking to access the Downloads folder, ...). Maybe in case of Keychain this is not done, which could be something to improve... but even then if the user wants, there will be a &quot;click&quot;.

Is the Keychain DB (SQLite) stolen in encrypted form? As I understand, the Keychain DB is stored on the file system, but the DB&#x27;s key is held in the Secure Enclave.

Why is it specified (twice!) that the keychain is extracted in it’s base64 encoded form?<p>That seems like an insignificant technical detail to mention, or am I missing something?

So I need to double click an unsigned DMG downloaded most likely from an unreputable source, bypass any security warnings, and then I&#x27;m vulnerable.<p>I wonder how many people got infected in the wild. Also, it&#x27;s any moment that Telegram removes the channel that is used for C&amp;C, making the malware virtually ineffective.

This might be a good place to ask: I have Malwarebytes installed but aside from that nothing really. What&#x27;s the recommended software stack to stay as protected as possible?

Does VirusTotal flag these DMGs?<p>I cannot be the only one basing my decision to run random blob from internet on virustotal output?

Crypto is incentivizing a lot of new malware. We&#x27;re getting to see how MacOS fares when faced with real targeted attacks. I feel that in the end, everyone will have to copy the Windows security model, which has had to deal with these attacks for decades.