A sophisticated macOS infostealer dubbed “Reaper” is actively exploiting Apple’s legitimate Script Editor application to harvest cryptocurrency wallet data and stored passwords from infected Mac systems. The malware bypasses traditional security controls by leveraging trusted system utilities, specifically targeting digital asset holders through social engineering campaigns. Security researchers have identified multiple variants in the wild, with distribution primarily occurring through trojanized applications and malicious software bundles.
Introduction
The macOS threat landscape has witnessed a concerning evolution with the emergence of Reaper, an information-stealing malware that weaponizes Apple’s own Script Editor utility to conduct data exfiltration operations. Unlike conventional malware that relies on suspicious third-party tools, Reaper demonstrates advanced evasion capabilities by abusing legitimate system components that security solutions typically whitelist.
This living-off-the-land (LotL) approach represents a significant shift in macOS-targeted threats. By utilizing trusted binaries already present on every Mac system, Reaper minimizes detection rates while maximizing operational effectiveness. The malware’s primary objective is clear: stealing cryptocurrency assets and credential data from unsuspecting users who often believe macOS provides inherent immunity from such threats.
The discovery of Reaper underscores the persistent myth that Mac systems remain impervious to sophisticated malware campaigns, a misconception that continues to place users at considerable risk.
Background & Context
Information stealers have historically targeted Windows environments, but the increasing adoption of macOS among cryptocurrency enthusiasts and high-value targets has shifted adversary focus. The macOS platform now hosts substantial cryptocurrency wealth through applications like Exodus, Electrum, and various browser-based wallet extensions.
Script Editor, the targeted utility in this campaign, serves as Apple’s native environment for creating and executing AppleScript and JavaScript automation scripts. Present on every macOS installation since the operating system’s inception, this tool possesses legitimate capabilities to interact with system processes, access file systems, and execute commands—precisely the permissions malware operators need.
Previous macOS stealers like XCSSET, OSX.DokSpy, and ThiefQuest established the baseline for Mac-focused information theft. However, Reaper distinguishes itself through its specific abuse of automation frameworks and its surgical focus on cryptocurrency-related data stores.
The threat actor behind Reaper remains unattributed, though distribution patterns suggest financially-motivated cybercriminals rather than nation-state operators. The malware has surfaced across multiple underground forums, indicating it may be available as malware-as-a-service (MaaS) or distributed through affiliate networks.
Technical Breakdown
Reaper’s infection chain begins with social engineering, typically through pirated software bundles, fake system updates, or trojanized legitimate applications. Initial droppers masquerade as installers for popular utilities or cracked commercial software.
Upon execution, the malware establishes persistence through multiple mechanisms:
# LaunchAgent persistence example
~/Library/LaunchAgents/com.apple.scripteditor.plistThe core payload leverages Script Editor through the osascript command-line utility, which allows execution of AppleScript without launching the visible application:
osascript -e 'tell application "Script Editor" to activate'Reaper’s data harvesting module targets specific cryptocurrency wallet locations:
Targeted Wallet Paths:
~/Library/Application Support/Exodus/~/Library/Application Support/Electrum/wallets/~/.bitcoin/wallet.dat~/Library/Application Support/com.blockchain.Blockchain/
Browser Data Extraction:
The malware systematically queries browser credential stores:
# Chrome credential database location
~/Library/Application Support/Google/Chrome/Default/Login Data
# Safari keychain queries via security command
security find-generic-password -ga "Chrome"
Reaper employs SQLite queries to parse browser databases, extracting saved credentials, autofill data, and cryptocurrency wallet extension information. The malware specifically searches for popular extensions including MetaMask, Coinbase Wallet, and Phantom.
Evasion Techniques:
The stealer implements several anti-analysis measures:
- Checks for virtual machine indicators through system profiling
- Detects debugging tools via process enumeration
- Delays execution to evade sandbox analysis
- Encrypts harvested data using XOR or AES before exfiltration
Data exfiltration occurs through HTTPS POST requests to command-and-control (C2) infrastructure, often disguised as legitimate API traffic to cloud storage providers.
Impact & Risk Assessment
The operational success of Reaper poses severe consequences for affected users:
Direct Financial Loss: Cryptocurrency wallet theft results in immediate, irreversible asset loss. Unlike traditional financial fraud, blockchain transactions cannot be reversed, making stolen cryptocurrency unrecoverable.
Credential Compromise: Harvested passwords enable secondary attacks including account takeovers, identity theft, and lateral movement into corporate networks for users with hybrid work environments.
Privacy Violation: Browser history and autofill data expose sensitive personal information that adversaries can weaponize for targeted phishing or extortion campaigns.
Risk Amplification Factors:
Users operating under the false security assumption that “Macs don’t get viruses” represent high-value, low-security targets. This demographic often includes:
- Cryptocurrency investors and traders
- Creative professionals using macOS
- Business executives with privileged access
- Developers with access to sensitive codebases
The stealer’s use of legitimate system utilities significantly complicates detection. Security solutions that whitelist signed Apple binaries may fail to identify malicious behavior when executed through Script Editor or osascript.
Organizations with BYOD policies face amplified risk, as personal device compromises can serve as entry points into corporate environments.
Vendor Response
Apple has implemented several security enhancements in recent macOS versions that theoretically mitigate some of Reaper’s capabilities, though the malware continues to circumvent these controls.
macOS Ventura and Sonoma Security Features:
Transparency, Consent, and Control (TCC) framework enhancements require explicit user permission for applications accessing sensitive data locations. However, social engineering remains effective in convincing users to grant these permissions during installation.
Gatekeeper improvements strengthen application notarization requirements, but distribution through already-installed applications or user-executed scripts bypasses these protections.
Apple has not issued specific public statements regarding Reaper but continues rolling out XProtect signature updates to detect known variants. The effectiveness of these signatures remains limited against polymorphic versions.
Security Vendor Responses:
Major endpoint protection vendors including CrowdStrike, SentinelOne, and Jamf have updated detection signatures. However, behavioral detection remains the most reliable identification method given Reaper’s legitimate tool abuse.
Several vendors have published specific indicators of compromise (IOCs) including C2 domains, file hashes, and behavioral patterns associated with Script Editor abuse.
Mitigations & Workarounds
Immediate protective actions for macOS users include:
System Configuration Hardening:
# Disable automatic script execution
defaults write com.apple.LaunchServices LSQuarantine -bool YES
# Review and remove suspicious LaunchAgents
ls -la ~/Library/LaunchAgents/
ls -la /Library/LaunchAgents/
Application Restrictions:
Utilize macOS’s built-in controls to limit Script Editor access:
- Navigate to System Settings > Privacy & Security > Automation
- Review applications with Script Editor permissions
- Revoke unauthorized access
Cryptocurrency Wallet Security:
- Migrate assets to hardware wallets (Ledger, Trezor)
- Enable wallet encryption with strong passphrases
- Store recovery phrases offline in physically secure locations
- Use dedicated, isolated systems for high-value transactions
Browser Security:
# Clear saved passwords and review storage
# Chrome: chrome://settings/passwords
# Safari: System Settings > Passwords
# Disable password saving for sensitive accounts
Access Controls:
Implement FileVault full-disk encryption to protect data at rest:
# Enable FileVault via command line
sudo fdesetup enableCreate standard user accounts for daily operations rather than using administrator privileges continuously.
Detection & Monitoring
Security teams should implement multi-layered detection strategies:
Process Monitoring:
Monitor for suspicious osascript executions:
# Log analysis for Script Editor abuse
log show --predicate 'process == "osascript"' --info --last 24hFile Integrity Monitoring:
Track unauthorized access to sensitive directories:
# Monitor wallet directories
sudo fs_usage | grep "Application Support"Network Traffic Analysis:
Establish baseline network behavior and alert on:
- Unusual HTTPS POST requests with large payloads
- Connections to newly registered domains
- Traffic to known malicious infrastructure
Endpoint Detection Indicators:
- Unexpected Script Editor or osascript process launches
- Access to multiple browser credential databases
- Enumeration of cryptocurrency wallet directories
- New LaunchAgent/LaunchDaemon creation
- Outbound connections from osascript processes
Threat Hunting Queries:
# Search for persistence mechanisms
find ~/Library/LaunchAgents -type f -name "*.plist" -exec grep -l "osascript" {} \;
# Identify suspicious script files
find / -name ".scpt" -o -name ".applescript" 2>/dev/null
Deploy EDR solutions with macOS-specific behavioral analytics capabilities rather than relying solely on signature-based detection.
Best Practices
Comprehensive security posture requires layered defensive strategies:
User Awareness:
- Educate users that macOS faces legitimate malware threats
- Train on identifying social engineering tactics
- Emphasize caution with software from unofficial sources
Software Acquisition:
- Download applications exclusively from the Mac App Store or verified developer websites
- Verify code signatures before installation
- Avoid pirated software and key generators
Credential Management:
- Implement password managers (1Password, Bitwarden) instead of browser storage
- Enable multi-factor authentication universally
- Rotate credentials following potential compromise
System Maintenance:
- Apply macOS security updates promptly
- Maintain current versions of all installed applications
- Regularly review installed applications and remove unnecessary software
Backup Strategy:
- Implement automated Time Machine backups
- Maintain offline backup copies
- Test restoration procedures periodically
Network Security:
- Deploy DNS filtering to block known malicious domains
- Utilize VPN services on untrusted networks
- Segment IoT devices from primary computing systems
Enterprise Environments:
- Enforce Mobile Device Management (MDM) policies
- Implement application whitelisting
- Deploy enterprise EDR solutions
- Conduct regular security assessments
Key Takeaways
- macOS Immunity is a Myth: The Reaper stealer demonstrates that Mac systems face sophisticated, targeted malware threats equivalent to Windows environments.
- Living-off-the-Land Tactics Work: By abusing legitimate system utilities like Script Editor, malware can evade traditional security controls and operate under the radar of signature-based detection.
- Cryptocurrency Remains a Prime Target: The concentration of irreversible digital assets on personal computing devices creates compelling targets for financially-motivated threat actors.
- Social Engineering Defeats Technical Controls: Despite Apple’s security enhancements, user deception remains the primary infection vector, emphasizing the critical importance of security awareness.
- Layered Defense is Essential: No single security control provides adequate protection; comprehensive strategies incorporating technical controls, user education, and monitoring deliver optimal results.
- Hardware Wallets Provide Superior Protection: For significant cryptocurrency holdings, hardware wallet solutions offer protection against software-based theft that no operating system can guarantee.
- Behavioral Detection Outperforms Signatures: As malware increasingly leverages legitimate tools, security solutions must focus on anomalous behavior patterns rather than static signatures.
References
- Apple Security Updates Documentation
- MITRE ATT&CK Framework – macOS Techniques
- Cryptocurrency Wallet Security Best Practices
- macOS Transparency, Consent, and Control (TCC) Technical Documentation
- NIST Cybersecurity Framework – Asset Management Guidelines
- Common Vulnerability Scoring System (CVSS) – Impact Metrics
- Open Source Security Foundation (OpenSSF) – Software Supply Chain Best Practices
Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/
