MonetaStealer is a macOS-focused information stealer that harvests browser data, cryptocurrency wallet credentials, keychain items, Wi-Fi passwords, and other sensitive information using multiple built-in modules.

Symptoms

You might observe the following artifacts associated with this threat:

• Excessive execution of macOS security and networking commands (such as security find-generic-password and networksetup -listpreferredwirelessnetworks en0).
• Unexpected staging of a stolen data archive named like STOLEN{sessionID}.zip on the user’s Desktop.
• Unusual outbound traffic to external infrastructure (for example Telegram bot APIs) potentially indicating exfiltration attempts.

Technical Breakdown

MonetaStealer is a lightweight macOS-oriented information stealer written in Python and packaged into a Mach-O binary using PyInstaller. Researchers discovered that the threat hides the bulk of its malicious logic within a compressed Python archive extracted at runtime. It intentionally disguises itself as a Windows .exe to exploit default user assumptions and evade naïve scanners that only inspect the outer Mach-O format.

Upon execution, MonetaStealer first confirms it is running on macOS before launching its stealer modules. It targets several classes of sensitive data:

• Browser data: Extracts Chrome passwords, cookies, and browsing history by accessing SQLite databases and using native macOS commands to retrieve encryption master keys needed for decryption.
• Cryptocurrency wallets: Recursively scans common user directories for known wallet files and attempts to extract seed phrases or private keys using regular expression patterns.
• Wi-Fi credentials: Enumerates preferred wireless networks and attempts to retrieve stored keychain SSIDs and passwords using native security utilities.
• Keychain contents: Runs keychain dumps to enumerate and extract items using keyword filtering to identify financial or sensitive entries.
• Financial documents: Examines local documents with common financial keywords and patterns, although this module shows limited effectiveness.
• SSH private keys and clipboard data: Parses the user’s local .ssh directory to capture private key files and reads the system clipboard buffer to collect arbitrary text potentially containing sensitive information.
  
  Stolen data is staged into a zip archive such as STOLEN{sessionID}.zip on the user’s Desktop. The malware attempts to exfiltrate data to a Telegram bot API under attacker control but researchers have not observed the final archive successfully uploaded in analyzed samples.

Iru researchers have a technical deep-dive into MonetaStealer that can be found here.

Next Steps

Iru Endpoint Detection & Response (EDR) can detect anomalous execution behaviors and unauthorized use of scripting and keychain access when file monitoring and behavioral protections are enabled.

If MonetaStealer is suspected on a device, remove any associated binaries and payload files immediately, and review command history for suspicious system calls indicative of stealer activity. Rotate browser and cloud credentials, reset passwords for financial accounts, and inspect any cryptocurrency wallets for unauthorized access.

In the future, avoid downloading and executing software from unverified sources or social engineering channels, and ensure macOS applications are obtained from trusted official repositories. Because this stealer leverages native utilities such as security find-generic-password, users should verify any unexpected password prompts before providing credentials.