Malicious ads and fake websites serve as vectors for two different stealer malware targeting Apple macOS users, including Atomic Stealer.
Ongoing information theft attacks targeting macOS users may be employing other methods to compromise victims' Macs, but many are operating with the ultimate goal of stealing sensitive data. Jamf Threat Labs said in a report released Friday.
One such attack chain targets users searching for Arc Browser on search engines such as Google and serves fake ads that redirect users to a similar site (“airci”).[.]net”) serves the malware.
“Interestingly, the malicious website returns an error and cannot be accessed directly,” said security researchers Jaron Bradley, Ferdous Saljouki, and Maggie Zirnhelt. “It can only be accessed through generated sponsored links, presumably to avoid detection.”
Disk image files downloaded from a fake website ('ArcSetup.dmg') distribute Atomic Stealer, which prompts users to enter their system passwords via fake prompts and ultimately facilitates information theft To do.
Jamf said it also discovered a fake website called meethub.[.]GG claims to offer free group meeting scheduling software, but in reality it's another software that can collect users' keychain data, credentials stored in web browsers, and information from cryptocurrency wallets. Install stealer malware.
Similar to the Atomic stealer, this malware (which is said to overlap with the Rust-based stealer family known as Realst) also uses AppleScript calls to infect users with macOS in order to perform malicious actions. Prompt for login password.
Attacks using this malware are said to have approached victims under the pretext of discussing job opportunities or employment opportunities. interview them for a podcastthen ask them to download the app from meethub[.]gg will participate in the video conference listed in the meeting invitation.
“These attacks often focus on people in the cryptocurrency industry, as these efforts can yield large rewards for the attackers,” the researchers said. “Industry participants need to be fully aware that it is often easy to find public information that indicates they are asset owners and can be easily linked to companies in the industry. .”
This development was developed by MacPaw's cybersecurity arm Moonlock Lab to deploy a malicious DMG file ('App_v1.0.4.dmg') to deploy stealer malware designed to extract credentials and data from various applications. ) was revealed to be used by threat actors.
This is accomplished through an obfuscated AppleScript and bash payload obtained from a Russian IP address. The former is used to launch a deceptive prompt (as described above) to trick the user into entering the system password.
“It disguises itself as a harmless DMG file and tricks users into installing it via phishing images, bypassing macOS's gatekeeper security features,” said security researcher Mykhailo Hrebeniuk.
This development shows that macOS environments are under threat from stealer attacks, with some strains becoming sophisticated anti-virtualists by activating self-destructive kill switches to avoid detection. We are proud of our technology.
In recent weeks, we have also observed malvertising campaigns pushing the FakeBat loader (also known as EugenLoader) and other information stealing tools such as Rhadamanthys through Go-based loaders through popular software decoy sites such as Notion and PuTTY. Masu.
