Author | OneKey
 
Can MacOS Trojans steal private keys directly? ....I'm done.
 
It is often said in the cryptocurrency circle that Apple computers must be safer than Windows computers, but there is really no impenetrable wall in the world.
 
Recently, @im23pds, a member of the SlowMist Technology team, released a video that sparked heated discussion. The video showed that after a DMG format installation package was installed on an Apple computer, the hacker's server obtained various account permissions and wallet private key files in the computer within just ten seconds - it was a complete disaster.
 
This article will explain how the attack occurred and give you three important suggestions that you must know.
 
How did the attack happen?
 
(1) Skipping Apple’s official review
 
First of all, it is not difficult to guess that the starting point of this attack is what all hackers do when they are phishing: to deceive users into thinking that they are installing normal software, but in fact, it is a Trojan virus. The same is true for Windows.
 
In most cases, it is safe for users to install software from the Apple Store, because Apple will conduct a thorough review before listing it on the Apple Store, and the system access rights are strictly restricted, making it difficult for malicious users to do anything malicious.
 
However, many users are used to installing software outside the Apple Store, and directly ignore the system's "Unknown Program from Unofficial Store" prompt. Here, users directly install this unknown program.
 
(2) Obtained the administrator password of the Apple computer
 
This administrator password is your lock screen password and also the password to get your system permissions. Once the application gets this password, it can make system-level changes (such as modifying system configuration, accessing specific system folders, etc.).
 
You should know that the installation of most common applications should not require administrator privileges. However, this malicious program cunningly pops up a window to trick users into saying "Your unlock password is required for installation."
 
Newbies who lack MacOS security knowledge will fall into this trap. Once entered, malicious programs can do whatever they want and run wild.
 
(3) Fully automatic one-pot
 
The next step is what everyone knows, in a very short time, it scans and uploads sensitive files of users - Cookies saved by browsers, auto-fill information, password information, locally encrypted mnemonic private key files of extended wallets (such as Little Fox), and even passwords saved in your iCloud.
 
According to the explanation by @evilcos from the SlowMist Technology Team, the purpose of the entire attack is basically:
 
a. Decrypt the mnemonic private key file encrypted locally in the extended wallet and upload it.
Some passwords are locally available, and some are brute-force cracked by hackers after being uploaded, so some people's wallet assets are stolen after a few days. If the target wallet assets are too small, they will lurk and steal them one day when they are fattened up; someone said, if I use a complex password to protect the little fox, can this private key file be cracked without effort? But if your wallet is unlocked one day, hackers can also try to steal your private key in the background.
 
b. Obtain the account permissions saved by the Cookies browser. For example, X, trading platforms, etc., hackers will send malicious information or transfer tokens;
 
c. Telegram, Discord, etc. are hacked and hackers will send malicious messages.
 
How to prevent hackers from happening? Three important suggestions to control hackers.

(1) When using a computer with encrypted data, do not install unknown applications without paying attention to the risks.
 
First of all, you should be extremely careful when facing anyone who asks you to download and install an application. Nowadays, many people who pretend to be project owners and ask you to download and experience apps and games are basically Trojan scams.
Secondly, if you have bad usage habits, like to install various third-party software regardless of risks, and have no ability to identify Trojans or use virtual sandbox environments, then don’t use cryptocurrency on this computer. If you really can’t, you should also install an antivirus software.
Moreover, the third-party software may only be temporarily safe, which does not mean that the DMG installation package downloaded in the future updates will still be safe.
Finally, it is important to never provide the administrator password to unknown programs.
 
(2) Use a hardware wallet to isolate your private key!
 
It is very important to spread the risk. You want to make sure that you are not wiped out by hackers.
 
Therefore, only put a small amount of assets in a hot wallet such as Little Fox, and withdraw them whenever you need them. The risk of a hot wallet is that your private key is stored on this connected device from the generation, storage of encrypted files and signatures. If it is attacked by a malicious program and the [private key file] is obtained or controlled by a hacker, all assets will be lost.
 
Therefore, it is recommended to use one or more multi-signature hardware wallets to store most of your assets.
 
The mainstream hardware wallets on the market, such as OneKey (us), Ledger, Trezor, etc., have only one thing to do - to keep your private key from generation, storage to signing in offline and encrypted hardware, and only transmit necessary information when signing.
 
It is important to keep your private key on your computer without leaving any trace and to isolate it from the Internet to avoid the risk of hackers obtaining it.
 
(3) When using the web-based exchange, try not to save your login information
 
The protection of the exchange website is much worse than that of the mobile app, so remember to log out after use.
 
Many people choose to automatically save passwords and remember login information for convenience. However, saving login information can make it easy for an attacker to access your trading account if your device is compromised.
 
Most people have set up 2FA now, but there are still ways to get around it. In the past, a malicious Chrome plug-in got hold of Cookies and used a malicious buy-sell operation to transfer money to hackers by buying low and selling high.
 
The last one
 
The best defense is to always be vigilant. Prevention is better than cure.
 
Nowadays, phishing has become industrialized and automated, with clear division of labor and spoils. If the assets have been transferred and laundered by a professional hacker team, there is a high probability that they will not be recovered! It is best not to give hackers any opportunity to take advantage.