Hackers target macOS users with malicious ads and spread stealing malware

March 30, 2024news roomMalware/Cryptocurrency

macOS malware

Malicious ads and fake websites serve as vectors for delivering two different stealer malware, including Atomic Stealer, targeting Apple macOS users.

Ongoing information theft attacks targeting macOS users may be employing other methods to compromise victims’ Macs, but they are operating with the ultimate goal of stealing sensitive data. Jamf Threat Labs said in a report released Friday.

One such attack chain targets users searching for Arc Browser on search engines such as Google and serves fake ads that redirect users to a similar site (“airci”).[.]net”) serves the malware.

“Interestingly, the malicious website returns an error and cannot be accessed directly,” said security researchers Jaron Bradley, Ferdous Saljouki, and Maggie Zirnhelt. “It can only be accessed via generated sponsored links, presumably to avoid detection.”

Disk image files downloaded from a fake website (‘ArcSetup.dmg’) distribute Atomic Stealer, which prompts users to enter their system passwords via fake prompts and ultimately facilitates information theft To do.

cyber security

Jamf said it also discovered a fake website called meethub.[.]GG claims to offer free group meeting scheduling software, but in reality it’s another software that can collect users’ keychain data, credentials stored in web browsers, and information from cryptocurrency wallets. Install stealer malware.

Similar to the Atomic stealer, this malware (which is said to overlap with the Rust-based stealer family known as Realst) also uses AppleScript calls to infect users with macOS in order to perform malicious actions. Prompt for login password.

Attacks leveraging this malware are said to have approached victims under the pretext of discussing employment opportunities or employment opportunities. interview them for a podcastthen ask them to download the app from meethub[.]gg will participate in the video conference listed in the meeting invitation.

“These attacks often focus on people in the cryptocurrency industry, as these efforts can yield large rewards for the attackers,” the researchers said. “Industry players need to be fully aware that it is often easy to find public information that indicates they are asset owners and can be easily linked to companies in the industry. .”

This development was developed by MacPaw’s cybersecurity arm Moonlock Lab to deploy a malicious DMG file (‘App_v1.0.4.dmg’) to deploy stealer malware designed to extract credentials and data from various applications. ) was revealed to be used by threat actors.

This is accomplished through an obfuscated AppleScript and bash payload obtained from a Russian IP address. The former is used to launch a deceptive prompt (as described above) to trick the user into entering the system password.

cyber security

“It disguises itself as a harmless DMG file and tricks users into installing it via phishing images, bypassing macOS’s gatekeeper security features,” said security researcher Mykhailo Hrebeniuk.

This development shows that the macOS environment is under threat from stealer attacks, and some strains have developed sophisticated countermeasures by activating self-destructive kill switches to avoid detection. We are proud of our virtualization technology.

In recent weeks, we have also observed malvertising campaigns pushing the FakeBat loader (also known as EugenLoader) and other information stealing tools such as Rhadamanthys through Go-based loaders through popular software decoy sites such as Notion and PuTTY. Masu.

Did you find this article interesting? Follow us twitter You can read more exclusive content from us on LinkedIn.

Source link

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button