Moonlock, a relatively new cybersecurity arm of MacPaw, has discovered a new strain of macOS malware disguised as a legitimate Mac app. When exploited, it can unknowingly harvest cookies and contacts from Safari and Chrome, along with passwords from password managers installed on the computer. This malware is called “Empire Transfer.”
Security researchers at Moonlock found Empire Transfer while checking files uploaded to VirusTotal. VirusTotal is a website where people can upload files to check if they contain any viruses. Moonlock saw a file called “Empire Transfer” uploaded there in December. This file looked like a normal app at first and even used logos from a real music label called EMPIRE.
But Empire Transfer is actually a type of virus called an “info stealer.” Info stealers try to steal your private information like passwords, contacts, cookies (data websites save about you) without you knowing. The virus extracts this info and sends it to the bad guys who made it. It can steal passwords stored in your browsers and password managers. It can also take your contacts from your Contacts app and cookies from Safari and Chrome.
The file looks like a normal DMG disk image you use to install Mac apps. But hidden inside is malware code written in Python. This code runs over a dozen sneaky programs to steal your data. Scarier still, the virus has tricks to kill itself if it detects that it’s being run on a virtual machine like VirtualBox instead of a real Mac. This helps it avoid being caught and studied by security researchers.
Moonlock warns Empire Transfer keeps evolving like other viruses do. They suggest being very careful about what you install from outside the Mac App Store. Use strong, unique passwords, and enable two-factor authentication on your devices and accounts. Also, keep your Mac, software, and security protections up to date.
With more people using Macs, viruses targeting them will keep growing. But by staying informed on the latest threats and practicing good cyber safety habits, you can help protect yourself from the Empire Transfer virus and other harmful malware.
