A new macOS stealer bypasses Telegram logins and targets crypto wallets with stolen credentials and fake apps, SlowMist alarms.
A newly analyzed macOS infostealing malware can hijack Telegram accounts without cracking passwords while simultaneously targeting crypto wallets through separate attack paths, blockchain security firm SlowMist warned in a recent Medium report.
According to SlowMist, the malware steals authenticated Telegram Desktop sessions, browser data, macOS Keychain credentials, as well as Apple Notes.
It also targets at least 16 desktop crypto wallets, including Ledger Live, Trezor Suite, Exodus, Atomic Wallet, Electrum and Sparrow.
Read also: Ledger Is the ‘Worst’ Hardware Crypto Wallet, ZachXBT Says
Rather than focusing on a single objective, the malware combines multiple data points into what researchers described as a “complete account takeover chain.”
The firm said attackers can restore stolen Telegram session files on another Mac and immediately access the victim’s account.
The malware also copies encrypted wallet databases before attempting to decrypt them offline using passwords gathered from the victim’s macOS Keychain, browser password managers, Apple Notes and fake password prompts.
Malware Targets Crypto Wallet Databases and Recovery Phrases
For instance, researchers successfully reproduced the attack against Atomic Wallet by matching a stolen wallet database with one of the collected passwords.
For Ledger and Trezor users, the malware deploys an additional phishing technique. As SlowMist explained, the malware removes legitimate crypto wallet apps and replaces them with fake desktop ones that are little more than embedded web pages masquerading as official wallet software:
“A WKWebView can be understood as a web browser embedded inside a desktop application. It allows a remote web page to completely replace the application’s interface without appearing as a browser tab.”
SlowMist urged anyone suspecting infection to immediately revoke Telegram sessions, rotate passwords and migrate crypto funds to wallets generated from new recovery phrases.
They also added that simply changing a wallet password won’t protect funds once a recovery phrase or private key has been exposed.
Read more: Android Banking Malware Uses TON Blockchain to Hide From Takedowns
