Cybercriminals are Targeting macOS Users with Malicious Ads Spreading Stealer Malware
Cybercriminals are Targeting macOS Users with Malicious Ads Spreading Stealer Malware
False websites and malicious advertisements serve as conduits for the distribution of two distinct stealer malware, one of which, Atomic Stealer, targets Apple macOS users.
Jamf Threat Labs stated in a report published on Friday that the ongoing infostealer attacks that target macOS users may have adopted various methods to compromise victims’ Macs, but their ultimate objective is to steal sensitive data.
A specific attack chain aims to deceive users who are looking for Arc Browser on search engines such as Google by presenting them with fraudulent advertisements that direct them to sites that resemble Arc Browser but actually distribute malware (“airci[.]net”).
“It is noteworthy that the malicious website generates an error that prevents direct access,” stated Maggie Zirnhelt, Jaron Bradley, and FerdousSaljooki, all of whom are security researchers. “It can only be accessed through a generated sponsored link, presumably to evade detection.”
The disk image file (“ArcSetup.dmg”) obtained from the fraudulent website contains Atomic Stealer, a program notorious for presenting bogus prompts requiring users to input their system passwords; this ultimately facilitates the theft of sensitive information.
Jamf has also identified a fraudulent website known as meethub[.]gg, which purports to provide free software for scheduling group meetings but in fact deploys an additional stealer malware that can amass users’ keychain data, web browser-stored credentials, and cryptocurrency wallet information.
Comparable to the Atomic stealer, the malware, which is said to overlap with the Realst stealer family based on Rust, uses an AppleScript call to request the user’s macOS login password in order to execute its malicious activities.
Malicious actors purporting to utilize this malware have allegedly approached victims while posing as podcast interviewees and job seekers, then requested that they download an application from meethub[.]gg in order to participate in a video conference that was incorporated into the meeting invitations.
“These attacks frequently concentrate on people working in the crypto industry because these endeavors may give rise to large payouts for attackers,” the investigators reported. “Those in this sector should be highly conscious that it’s often easy to locate public information that they are asset holders or are readily tied to an organization that puts them in this industry.”
The development follows the disclosure by Moonlock Lab, the cybersecurity division of MacPaw, that threat actors are utilizing deceptive DMG files (“App_v1.0.4.dmg”) to distribute stealer malware that extracts credentials and data from multiple applications.
This is achieved through the use of a bash payload and obfuscated AppleScript retrieved from a Russian IP address. The obfuscated AppleScript is employed to initiate a deceptive prompt, which aims to fool users into divulging the system passwords, as previously stated.
“By posing as a benign DMG file, it manipulates the user into installing it through a phishing image, thereby convincing the user to circumvent the Gatekeeper security feature on macOS,” explained security researcher MykhailoHrebeniuk.
This development suggests that stealer attacks are becoming a greater threat to macOS environments; some strains even claim to employ sophisticated anti-virtualization methods by triggering a self-destructing kill switch in order to avoid detection.
In recent weeks, malvertising campaigns have been identified utilizing sham websites presenting well-known applications such as Notion and PuTTY to distribute the FakeBat loader (also known as EugenLoader) and other information stealers including Rhadamanthys via a Go-based loader.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
READ MORE ARTICLE HERE