Malicious adverts and bogus web sites are appearing as a conduit to ship two totally different stealer malware, together with Atomic Stealer, concentrating on Apple macOS customers.
The continuing infostealer assaults concentrating on macOS customers could have adopted totally different strategies to compromise victims’ Macs, however function with the tip purpose of stealing delicate information, Jamf Menace Labs stated in a report printed Friday.
One such assault chain targets customers looking for Arc Browser on search engines like google like Google to serve bogus adverts that redirect customers to look-alike websites (“airci[.]internet”) that serve the malware.
“Apparently, the malicious web site can’t be accessed instantly, because it returns an error,” safety researchers Jaron Bradley, Ferdous Saljooki, and Maggie Zirnhelt stated. “It might solely be accessed by way of a generated sponsored hyperlink, presumably to evade detection.”
The disk picture file downloaded from the counterfeit web site (“ArcSetup.dmg”) delivers Atomic Stealer, which is understood to request customers to enter their system passwords by way of a pretend immediate and finally facilitate info theft.
Jamf stated it additionally found a phony web site known as meethub[.]gg that claims to supply a free group assembly scheduling software program, however truly installs one other stealer malware able to harvesting customers’ keychain information, saved credentials in net browsers, and data from cryptocurrency wallets.
Very like Atomic stealer, the malware β which is alleged to overlap with a Rust-based stealer household generally known as Realst β additionally prompts the person for his or her macOS login password utilizing an AppleScript name to hold out its malicious actions.
Assaults leveraging this malware are stated to have approached victims beneath the pretext of discussing job alternatives and interviewing them for a podcast, subsequently asking them to obtain an app from meethub[.]gg to affix a video convention supplied within the assembly invitations.
“These assaults are sometimes targeted on these within the crypto trade as such efforts can result in massive payouts for attackers,” the researchers stated. “These within the trade needs to be hyper-aware that it is usually straightforward to search out public info that they’re asset holders or can simply be tied to an organization that places them on this trade.”
The event comes as MacPaw’s cybersecurity division Moonlock Lab disclosed that malicious DMG recordsdata (“App_v1.0.4.dmg”) are being utilized by menace actors to deploy a stealer malware designed to extract credentials and information from varied purposes.
That is completed by way of an obfuscated AppleScript and bash payload that is retrieved from a Russian IP handle, the previous of which is used to launch a misleading immediate (as talked about above) to trick customers into offering the system passwords.
“Disguised as a innocent DMG file, it tips the person into set up by way of a phishing picture, persuading the person to bypass macOS’s Gatekeeper safety function,” safety researcher Mykhailo Hrebeniuk stated.
The findings are one more indication that macOS environments are more and more beneath menace from stealer assaults, with some strains even boasting of subtle anti-virtualization methods by activating a self-destructing kill change to evade detection.
In latest weeks, malvertising campaigns concentrating on Home windows customers have additionally been noticed pushing the FakeBat loader (aka EugenLoader) and different info stealers like Rhadamanthys by way of a Go-based loader by way of decoy websites for well-liked software program similar to Notion and PuTTY.
