NovaStealer - Apple Intelligence is leaving a plist.. it is legit, right?

SUMMARY :

A cryptostealer for macOS utilizes a bash-based script to establish persistence and execute malicious modules. The malware installs itself in the ~/.mdrivers directory, uses screen sessions for background execution, and employs a LaunchAgent for persistence. It exfiltrates crypto wallet data, collects system information, and replaces legitimate wallet applications with malicious versions. The threat actor employs clever techniques like using WebKit to render phishing pages and tracking user behavior. While not highly sophisticated, the modular nature and ability to update components remotely make it a noteworthy threat.

OPENCTI LABELS :

cryptostealer,persistence,modular,bash,phishing,macos,novastealer,wallet-targeting


AI COMMENTARY :

1. Introduction to NovaStealer: Apple Intelligence is leaving a plist.. it is legit, right? NovaStealer targets macOS users with a bash based script that quietly installs itself into the ~/.mdrivers directory. By masquerading as a harmless plist file, it exploits trust in the system’s LaunchAgent features to establish persistence. Despite its somewhat rudimentary approach, the cryptostealer packs enough punch to warrant close attention.

2. Infection and Persistence Mechanisms Upon execution, the bash script creates a hidden directory under the user’s home path and leverages screen sessions for background execution. The use of a LaunchAgent ensures the malware survives reboots and user logouts. This combination of screen and LaunchAgent mechanisms makes removal difficult without manual intervention, allowing the threat actor to maintain long term foothold on the compromised macOS system.

3. Data Theft and Wallet Targeting NovaStealer’s primary objective is crypto wallet targeting. Once active, it scans for popular wallet files, exfiltrates private keys and seed phrases, and sends this sensitive data to a remote server. In addition to direct theft, it replaces legitimate wallet applications with malicious versions that capture credentials at every launch. System information including hardware identifiers and network details is also collected to enrich the attacker’s profile of the victim.

4. Modular Architecture and Remote Updates The malware’s modular design allows operators to load additional components on demand. Each module can be fetched via HTTP POST requests, enabling dynamic feature expansion and rapid deployment of new capabilities. While not highly sophisticated, this approach elevates NovaStealer above single feature threats by providing ongoing flexibility and making static detection signatures less effective.

5. Phishing Techniques and User Manipulation In a clever twist, NovaStealer uses WebKit to render phishing pages directly on the target machine. This approach deceives users into entering credentials while appearing as a legitimate application window. Combined with behavior tracking, the threat actor can fine tune these pages to increase the likelihood of successful credential harvest, blending social engineering with malware to enhance wallet targeting effectiveness.

6. Implications for macOS Security and Mitigation Organizations and individual users should remain vigilant about unknown plist files and LaunchAgent entries. Regular audits of hidden directories such as ~/.mdrivers and active screen sessions can reveal unauthorized installations. Deploying endpoint detection tools that monitor script based persistence and network connections associated with cryptostealers will help detect NovaStealer variants. Educating users on the risks of phishing and enforcing strict application control policies will further reduce the threat surface posed by this emerging macOS malware.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


NovaStealer - Apple Intelligence is leaving a plist.. it is legit, right?