macOS System Tools Unwittingly Aid Data Theft: Purrglar Malware Analysis
The research team at Kandji has discovered a potentially malicious loader targeting macOS, which was uploaded to VirusTotal on January 10, 2025. This program, named Purrglar, is designed to capture files related to the Chrome browser and the Exodus cryptocurrency wallet. A key feature of the application is its use of the macOS Security Framework API to access the system Keychain.
Experts believe that the program is still in development, as it currently transmits data to a local host rather than a remote server. Nevertheless, the team’s research indicates that the loader could be used for data theft, making it a subject of heightened concern.
How Purrglar Operates
Purrglar collects system information, including the device’s serial number, using the system_profiler command. This data, along with a timestamp, is used to generate a URL for file transmission, which currently points to a local server. Targeted files include cookies, passwords, and account data from Chrome, as well as sensitive information from the Exodus cryptocurrency wallet.
When attempting to access the Keychain, the program triggers a system permission request using Apple-recommended methods. If the user approves the request, the application gains access to Chrome-related keys and transmits them, along with other data, to the server. If the request is denied, an error message appears, prompting the user to enter their password.
Files and Data at Risk
- Chrome cookies and login credentials
- Data from
~/Library/Application Support/Exodus/exodus.wallet
File transfers are performed via the Curl API using MIME objects, allowing data to be sent in multipart/form-data format. Each file is sent to the server using a unique URL based on the device’s serial number and timestamp.
Uncertain Intentions, Real Risks
At the time of analysis, researchers could not determine the developers’ ultimate intentions. While Purrglar may be an experimental project, its structure and behavior could be leveraged in future malware designed for data theft. Experts recommend staying vigilant and paying close attention to suspicious applications.