# Emerging Threat Purrglar Stealer in Development

## **Summary**

Researchers have uncovered a potential stealer, dubbed "Purrglar," uploaded to VirusTotal on January 10, 2025. This malware targets Chrome and Exodus wallet files and notably uses macOS Security Framework APIs to access the Keychain, suggesting a focus on stealing sensitive data.

Currently, the stealer appears to be under development, as evidenced by localhost being used as the file upload destination. This advisory highlights key aspects of Purrglar, including its methods for accessing the Keychain, capturing Chrome and Exodus files, and uploading data via Curl APIs.

## **Technical Detail**

### Capturing Serial Number

The uid() function gathers the device's serial number using macOS's NSTask to execute the /usr/sbin/system\_profiler SPHardwareDataType command. The result is processed via NSScanner to extract the serial number, which is then stored for later use.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1738202605296/8ae83ea7-f1c8-4d0d-a4e3-35826f75816a.png align="center")

## Timestamp Retrieval

The getTimestamp() function uses NSDate to retrieve the current timestamp since 1970, which is also stored for later use.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1738202648959/1828b26a-e561-485c-9ab1-c5c01b22769f.png align="center")

### URL Setup

The serial number and timestamp are combined to create a URL in the format: http://{[localhost](http://localhost)}:8000/api/{SerialNumber}/{timeSince1970}. This URL, along with the use of "[localhost](http://localhost)," suggests the application might still be in development or testing.

 **Keychain Access**

The getEncryptionKey() function prompts the user for consent to access the Chrome key stored in the macOS Keychain, which is needed to access sensitive Chrome-related files. The process follows Apple's guidelines for keychain searches.

The query uses several kSec\* symbols, including:

1. kSecAttrService: Set to "Chrome Safe Storage."
    
2. kSecAttrAccount: Set to "Chrome."
    
3. kSecClass: Set to kSecClassGenericPassword.
    

Chrome creates a Keychain entry with these attributes during installation. The query is structured as a dictionary, like this example in Swift:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1738202726485/9613b787-371c-4cd3-808b-62b00fb80361.png align="center")

The SecItemCopyMatching() function executes the query, triggering a system prompt for the user to allow access to the Keychain. If the user grants permission by entering their password, the process continues. If the user clicks "Deny," a custom error prompt encourages them to re-enter their password.

If successful, the function returns the Chrome key; otherwise, it returns 0

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1738202753679/cd0f51bf-bba6-4874-b634-d50b4fae5dff.png align="center")

## Stealer Activity After Keychain Access

If the stealer succeeds in gaining Keychain access, the application uses the Chrome key to construct additional URLs to upload sensitive files. For example: http://{[localhost](http://localhost)}:8000/api/{SerialNumber}/{timeSince1970}/1/chrome\_cookies/{Chrome key} Files like Chrome cookies, login data, and Exodus wallet files (e.g., passphrase.json, seed.seco, storage.seco) are identified and prepared for upload.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1738202788935/e4cd49a6-31f6-4d6c-ac0c-58a5ad5a11a8.png align="center")

## File Uploading

The sendFile() function uses Curl APIs to upload the files to the constructed URLs. The process involves:

1. Checking if the file exists using NSFileManager.
    
2. Setting up a curl\_mime structure to handle file uploads as multipart/form-data.
    
3. Using curl\_easy\_perform() to execute the upload.
    

If successful, an NSAlert confirms the upload.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1738202919588/0e5241b6-cf26-4e1e-90aa-6f34e1a75867.png align="center")

## **Recommendation**

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

1. EEnsure your macOS and all applications, especially browsers like Chrome, are up to date. Security patches often address vulnerabilities that malware could exploit.
    
2. Enable two-factor authentication (2FA) for accounts that support it and use strong, unique passwords to reduce the risk of unauthorized access to sensitive data.
    
3. Be cautious when granting apps access to your Keychain. Regularly review and manage permissions and deny access to any unfamiliar or suspicious applications
    
4. Watch for callback IPs, magic packet patterns, and certificate fingerprints linked to past campaigns.
    

## **Conclusion**

This application, which is currently under development, steals sensitive data. Its behavior, such as accessing Chrome keys from the Keychain and targeting other sensitive data, presents significant risks for macOS users. Monitoring this stealer is essential, as it may evolve into a more advanced threat or inspire similar attacks in the future.
