Cybersecurity researchers have identified a new infostealer malware that has been designed to target cryptocurrency wallets and extract private keys and other sensitive information on Windows, Linux, and macOS, all the while remaining undetected by major antivirus engines.
Summary
- ModStealer targets browser-based crypto wallets.
- The malware was found to be operational across Windows, Linux, and macOS.
- Bad actors delivered the malware via fake job recruiter ads.
The malware, known as ModStealer, was identified by Mosyle, a security platform specializing in Apple device management, after it evaded detection for weeks across major antivirus engines.
“The malware has remained invisible to all major antivirus engines since first appearing on VirusTotal nearly a month ago,” Mosyle noted in a report shared with 9to5Mac.
Although Mosyle typically focuses on Mac-based security threats, it has warned that ModStealer has been designed in a way that it can infiltrate Windows and Linux-powered systems as well.
There were also signs that it may have been touted as a Malware-as-a-Service, allowing cybercriminals with minimal technical expertise to deploy it across multiple platforms using ready-made malicious code.
Malware-as-a-Service is an underground business model where malicious developers sell or lease malware kits to affiliates in exchange for a commission or subscription fee.
How does ModStealer target crypto users?
Mosyle’s analysis found that ModStealer was being deployed using malicious job recruiter ads that primarily target developers.
What makes the malware hard to detect is the fact that it has been coded using “a heavily obfuscated JavaScript file” within a Node.js environment.
As Node.js environments are widely used by developers and often granted elevated permissions during software testing and deployment, they present an attractive entry point for attackers.
Developers are also more likely to handle sensitive credentials, access keys, and crypto wallets as part of their workflow, making them high-value targets.
As an infostealer, once ModStealer has been delivered to a victim’s system, its main goal is data exfiltration. The malware was found to be preloaded with malicious code that allows it to target at least “56 different browser wallet extensions, including Safari,” to steal crypto private keys, the report warned.
Among other capabilities, ModStealer can retrieve data from clipboards, capture a victim’s screen, and remotely execute malicious code on the target system, which Mosyle warned can give bad actors “nearly complete control over infected devices.”
“What makes this discovery so alarming is the stealth with which ModStealer operates. Undetectable malware is a huge problem for signature-based detection since it can quietly go unnoticed without being flagged,” it added.
On macOS, ModStealer can embed itself with the system’s launchctl tool, which is a built-in utility used to manage background processes, allowing the malware to disguise itself as a legitimate service and automatically run every time the device starts.
Mosyle also found that data extracted from victim systems is forwarded to a remote server based in Finland, which is linked to infrastructure in Germany, likely as a way to obscure the true location of the operators.
The security firm urged developers to avoid relying solely on signature-based protections.
“[..] Signature-based protections alone are not enough. Continuous monitoring, behavior-based defenses, and awareness of emerging threats are essential to stay ahead of adversaries.”
New threats targeting Mac and Windows crypto users
As crypto adoption is on the rise all across the globe, threat actors have increasingly focused on devising complex attack vectors to siphon digital assets. ModStealer is far from the only threat making headlines.
Earlier this month, researchers at ReversingLabs rang the warning bell regarding an open-source malware embedded within Ethereum smart contracts that could deploy malicious payloads targeting crypto users.
