Over the past year, macOS users, particularly those in the cryptocurrency sector, have been increasingly targeted by infostealers. These malicious programs aim to harvest credentials and data from crypto wallets.
amf Threat Labs has been monitoring the evolution of these threats and has identified two recent attacks that have successfully deployed infostealers on victims’ macOS systems.
The first attack involves a fake sponsored ad for “Arc Browser” that leads to a malicious website, which can only be accessed through the ad link.
This site distributes a variant of the Atomic Stealer malware, which uses xor encoding to evade detection and employs AppleScript to steal information.
Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.
Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.
Much like the Atomic stealer sample dissected above, this stealer also prompts the user for their macOS login password using the following AppleScript call.
Google ad services link:
hXXps://www.googleadservices.com/pagead/aclk?sa=L&ai=DChcSEwiC8Jm6-ZSFAxUIwUwCHXbYB3MYABAAGgJ0bQ&ase=2&gclid=EAIaIQobChMIgvCZuvmUhQMVCMFMAh122AdzEAAYASAAEgKHuvD_BwE&ei=0lQEZp-wCbWqptQP-Kq0mA8&ohost=www.google.com&cid=CAASJORoo4VHmMOQTyTY97tSpGDZA1DEcypIUn9R0xOdHJi1x9N3KQ&sig=AOD64_2IOygLFSykCaouP6GmJOVlWRg3AA&q&sqi=2&nis=4&adurl&ved=2ahUKEwif4Y66-ZSFAxU1lYkEHXgVDfMQ0Qx6BAgJEAE
The malware prompts users for their macOS password to access keychain data and sends the stolen information to the attacker’s server.
The second attack uses a fake Meethub application, which poses as a virtual meeting platform. The attackers, who have a significant online presence, lure victims through direct messages on social media, discussing topics like podcast recordings or job opportunities.
The unsigned Meethub application, once downloaded, prompts users for their macOS password and uses various tools to extract sensitive data, including:
The stolen data is then sent to the attacker’s server.
According to the report, these attacks highlight the growing trend of targeting macOS users in the cryptocurrency industry.
Attackers use sophisticated social engineering techniques to build rapport and gain trust before deploying their infostealers.
Users must remain vigilant and cautious of unsolicited communications, especially cryptocurrency-related ones. They should always verify the legitimacy of applications and be wary of providing sensitive information or credentials.
Are you from the SOC and DFIR Teams? – Analyse linux Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
Microsoft has allowed unprivileged users to update their own User Principal Names (UPNs) in Entra…
IntelBroker, a key figure within the dark web's BreachForums, has announced his resignation as the…
A critical vulnerability in Kubernetes, designated as CVE-2024-9042, has been discovered, enabling attackers to execute…
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a critical…
Researchers from the University of Florida and North Carolina State University conducted an extensive analysis…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS) advisories to…