Emerging Threat Purrglar Stealer in Development
PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.
Summary
Researchers have uncovered a potential stealer, dubbed "Purrglar," uploaded to VirusTotal on January 10, 2025. This malware targets Chrome and Exodus wallet files and notably uses macOS Security Framework APIs to access the Keychain, suggesting a focus on stealing sensitive data.
Currently, the stealer appears to be under development, as evidenced by localhost being used as the file upload destination. This advisory highlights key aspects of Purrglar, including its methods for accessing the Keychain, capturing Chrome and Exodus files, and uploading data via Curl APIs.
Technical Detail
Capturing Serial Number
The uid() function gathers the device's serial number using macOS's NSTask to execute the /usr/sbin/system_profiler SPHardwareDataType command. The result is processed via NSScanner to extract the serial number, which is then stored for later use.
Timestamp Retrieval
The getTimestamp() function uses NSDate to retrieve the current timestamp since 1970, which is also stored for later use.
URL Setup
The serial number and timestamp are combined to create a URL in the format: http://{localhost}:8000/api/{SerialNumber}/{timeSince1970}. This URL, along with the use of "localhost," suggests the application might still be in development or testing.
Keychain Access
The getEncryptionKey() function prompts the user for consent to access the Chrome key stored in the macOS Keychain, which is needed to access sensitive Chrome-related files. The process follows Apple's guidelines for keychain searches.
The query uses several kSec* symbols, including:
kSecAttrService: Set to "Chrome Safe Storage."
kSecAttrAccount: Set to "Chrome."
kSecClass: Set to kSecClassGenericPassword.
Chrome creates a Keychain entry with these attributes during installation. The query is structured as a dictionary, like this example in Swift:
The SecItemCopyMatching() function executes the query, triggering a system prompt for the user to allow access to the Keychain. If the user grants permission by entering their password, the process continues. If the user clicks "Deny," a custom error prompt encourages them to re-enter their password.
If successful, the function returns the Chrome key; otherwise, it returns 0
Stealer Activity After Keychain Access
If the stealer succeeds in gaining Keychain access, the application uses the Chrome key to construct additional URLs to upload sensitive files. For example: http://{localhost}:8000/api/{SerialNumber}/{timeSince1970}/1/chrome_cookies/{Chrome key} Files like Chrome cookies, login data, and Exodus wallet files (e.g., passphrase.json, seed.seco, storage.seco) are identified and prepared for upload.
File Uploading
The sendFile() function uses Curl APIs to upload the files to the constructed URLs. The process involves:
Checking if the file exists using NSFileManager.
Setting up a curl_mime structure to handle file uploads as multipart/form-data.
Using curl_easy_perform() to execute the upload.
If successful, an NSAlert confirms the upload.
Recommendation
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
EEnsure your macOS and all applications, especially browsers like Chrome, are up to date. Security patches often address vulnerabilities that malware could exploit.
Enable two-factor authentication (2FA) for accounts that support it and use strong, unique passwords to reduce the risk of unauthorized access to sensitive data.
Be cautious when granting apps access to your Keychain. Regularly review and manage permissions and deny access to any unfamiliar or suspicious applications
Watch for callback IPs, magic packet patterns, and certificate fingerprints linked to past campaigns.
Conclusion
This application, which is currently under development, steals sensitive data. Its behavior, such as accessing Chrome keys from the Keychain and targeting other sensitive data, presents significant risks for macOS users. Monitoring this stealer is essential, as it may evolve into a more advanced threat or inspire similar attacks in the future.
