ModStealer cross-platform malware undetected by AV tools targeting developers
9 hours ago
- #cybersecurity
- #infostealer
- #malware
- Mosyle discovered a new infostealer malware called ModStealer, which has been undetectable by major antivirus engines for nearly a month.
- ModStealer is cross-platform, targeting macOS, Windows, and Linux systems, and is delivered via malicious job recruiter ads aimed at developers.
- The malware uses a heavily obfuscated JavaScript file written with NodeJS, evading signature-based defenses.
- ModStealer focuses on stealing data, including cryptocurrency wallets, credentials, configuration details, and certificates, targeting 56 browser wallet extensions.
- It also has capabilities for clipboard capture, screen capture, and remote code execution, giving attackers significant control over infected devices.
- The malware achieves persistence on macOS by abusing Apple's launchctl tool, embedding itself as a LaunchAgent.
- ModStealer exfiltrates data to a remote server, likely hosted in Finland but tied to infrastructure in Germany.
- Mosyle suggests ModStealer fits the Malware-as-a-Service (MaaS) model, where developers sell malware to affiliates with minimal technical skills.
- Infostealers like ModStealer are on the rise, with Jamf reporting a 28% increase earlier this year.
- Mosyle warns that signature-based protections are insufficient, emphasizing the need for continuous monitoring and behavior-based defenses.