"According to Mosyle's analysis, ModStealer is being delivered to victims through malicious job recruiter ads targeting developers. It uses a heavily obfuscated JavaScript file written with NodeJS that remains completely undetectable by signature-based defenses. And this one isn't just targeting Mac users either; Windows and Linux environments are also at risk. The malware's main goal is data exfiltration, with a particular focus on cryptocurrency wallets, credential files, configuration details, and certificates."
"On macOS, the malware achieves persistence or a long-term undetectable presence on a victim's Mac by abusing Apple's own launchctl tool, embedding itself as a LaunchAgent. From there, it quietly monitors activity and exfiltrates sensitive information to a remote server. Mosyle researchers say the server hosting the stolen data appears to be in Finland but is tied to infrastructure in Germany, likely to mask the operators' real location."
"The firm's researchers also discovered that ModStealer is capable of clipboard capture, screen capture, and remote code execution. The first two are bad, but the latter can give attackers nearly complete control over infected devices. Mosyle found pre-loaded code targeting 56 different browser wallet extensions, including Safari, designed to extract private keys and sensitive account info. It uses a heavily obfuscated JavaScript file written with NodeJS that remains completely undetectable by signature-based defenses."
ModStealer is a cross-platform infostealer delivered via malicious job recruiter ads aimed at developers. The payload is a heavily obfuscated NodeJS JavaScript file designed to evade signature-based detection across macOS, Windows, and Linux. The malware focuses on data exfiltration, specifically cryptocurrency wallets, credential files, configuration details, and certificates, and includes pre-loaded code targeting 56 browser wallet extensions including Safari. Capabilities include clipboard capture, screen capture, and remote code execution. On macOS it achieves persistence by abusing launchctl to install a LaunchAgent. Stolen data is sent to a server reportedly in Finland tied to German infrastructure to obscure operator location.
Read at 9to5Mac
Unable to calculate read time
Collection
[
|
...
]