Script Editor Hijack: Stealthy macOS Malware Targets Crypto Wallets & Sensitive Data

A Stealthy New Menace for macOS Users

Security researchers have uncovered a sophisticated new malware strain specifically designed to attack Apple's macOS operating system. Unlike conventional threats, this malware exhibits a cunning method of operation by co-opting a built-in, often-overlooked system utility to bypass security measures.

The Infection Chain: From Deception to Privilege Escalation

Analysis indicates that the malware primarily propagates through fraudulent download pages mimicking popular applications such as messaging and collaboration tools. Once a user downloads the disguised payload, the attack sequence begins.

The core attack mechanism involves several critical stages:

• Script Editor Exploitation: The malware uses a specific URL scheme to automatically launch macOS's built-in Script Editor application. It hides malicious AppleScript code behind large blocks of ASCII art and meaningless whitespace characters, making it difficult to visually identify the threat.
• Fake Security Dialog: After the user is prompted to click the "Run" button within Script Editor, a meticulously forged pop-up window, designed to resemble an official Apple security update alert, appears. This dialog tricks the victim into entering their administrator password.
• Privilege Acquisition: Upon password entry, the malware gains elevated system privileges, unlocking the potential for significant harm.

Multifaceted Data Theft: Assets and Privacy at Risk

With high-level access secured, the malware engages in a multi-pronged data harvesting operation, focusing on digital assets and personal information.

• Targeting Crypto Wallets: It actively scans for and targets several widely-used desktop cryptocurrency wallet applications. The malware attempts to modify internal configuration files or scripts within these wallets, aiming to intercept and redirect future transactions to addresses controlled by the attackers.
• Stealing Browser Credentials: The program extracts saved login usernames and passwords from major web browsers including Chrome, Firefox, and Edge.
• Harvesting Sensitive Files: It combs through the user's Desktop and Documents folders, searching for and exfiltrating sensitive documents such as .docx, .pdf, and files with extensions like ".wallet".

Persistence Mechanism: Disguised as a System Update

To maintain long-term access on compromised machines, the malware installs a backdoor. This backdoor is disguised within a directory associated with Google software updates, masquerading as a legitimate system component to evade detection and ensure continued remote access.

Protective Measures and Recommendations

To guard against such advanced threats, users are advised to adopt vigilant security practices:

• Always download software from official websites or trusted app stores, and treat non-official download links with extreme suspicion.
• Exercise extreme caution when confronted with unexpected pop-up windows requesting passwords for "updates" or "verification." Verify the legitimacy of the request before entering any credentials.
• If a website automatically opens the Script Editor application and prompts you to run code, close the page immediately, as this is a strong indicator of a malicious attack.
• Keep your operating system and security software updated regularly, and use strong, unique passwords for critical accounts.