macOS Malware notnullOSX Steals Crypto Wallets Worth Over $10K via Fake Apps and Terminal Tricks
What Happened — A new macOS‑specific malware family dubbed notnullOSX has been observed distributing malicious “fake” applications and leveraging Terminal command tricks to install backdoors. The payload harvests cryptocurrency wallet credentials and private keys, enabling theft of funds exceeding $10,000 per victim.
Why It Matters for TPRM —
- macOS endpoints are common in many third‑party vendor environments; compromise expands the attack surface beyond Windows‑only threats.
- Direct theft of crypto assets bypasses traditional data‑loss controls, creating immediate financial exposure for partners handling digital currency.
- The use of native Terminal commands can evade signature‑based detection, demanding more advanced behavioral monitoring.
Who Is Affected — Financial services (crypto exchanges, wallet providers), technology SaaS firms with macOS workforces, and any MSP/MSSP managing macOS devices for clients.
Recommended Actions —
- Enforce strict application whitelisting and code‑signing verification on all macOS endpoints.
- Deploy endpoint detection and response (EDR) capable of monitoring anomalous Terminal activity.
- Conduct user awareness training focused on fake app distribution channels and command‑line safety.
- Review third‑party contracts for macOS security controls and require regular compliance attestations.
Technical Notes — Attack vector combines social engineering (fake app distribution) with misuse of macOS Terminal utilities to drop a persistent backdoor. No specific CVE is cited; the malware appears to be a custom build. Stolen data includes wallet seed phrases, private keys, and potentially other credential files. Source: HackRead