Malvertising and fake websites served as conduits for the spread of two different types of stealing malware, including Atomic Stealer, which targeted Apple macOS users.
Persistent information stealer attacks targeting macOS users may employ different methods to compromise victims’ Macs, but the ultimate goal is to steal sensitive data, Jamf Threat Lab said in a report released on Friday.
The target of this type of attack chain is users searching for Arc Browser on search engines such as Google to provide false advertisements and redirect users to similar websites (“airci[.]net”) to serve malware.
“Interestingly, the malicious website cannot be accessed directly as it returns an error,” said security researchers Jaron Bradley, Ferdous Saljooki and Maggie Zirnhelt. “It is only accessible through a generated sponsored link, presumably to evade detection.”
Disk image files downloaded from a fake website (“ArcSetup.dmg”) provide Atomic Stealer, which uses false prompts to ask users to enter their system password, ultimately facilitating information theft.
Jamf said it also discovered a fake website called meethub[.]gg claims to offer free group meeting scheduling software, but actually installs another type of stealing malware that can collect users’ keychain data, credentials stored in web browsers, and information from cryptocurrency wallets .
Much like the Atomic stealer, this malware (which is said to overlap with the Rust-based stealer family called Realst) also uses AppleScript calls to prompt users for their macOS login password in order to perform its malicious actions.
Attacks allegedly exploited the malware to discuss job opportunities and interview them podcastthen ask them to download the app from meethub[.]gg Join the video meeting provided in the meeting invitation.
“These attacks are often focused on the cryptocurrency industry, as such attacks can result in large losses to the attackers,” the researchers said. “Industry insiders should be highly aware that it is often easy to find public information that they are asset holders. , or be easily associated with companies that place them in the industry.”
Moonlock Lab, the cybersecurity arm of MacPaw, revealed that a malicious DMG file (“App_v1.0.4.dmg”) is being used by threat actors to deploy stealth malware designed to extract credentials and data from various applications.
This is accomplished via obfuscated AppleScript and bash payloads retrieved from Russian IP addresses, with the former used to launch deceptive prompts (as described above) to trick users into providing their system passwords.
“It disguises itself as a harmless DMG file and uses a phishing image to trick users into installing it, thereby convincing users to bypass macOS’s Gatekeeper security feature,” said security researcher Mykhailo Hrebeniuk.
This development demonstrates that macOS environments are increasingly at risk from stealer attacks, with some strains even possessing sophisticated anti-virtualization techniques by activating a self-destructing kill switch to evade detection.
In recent weeks, malvertising campaigns have also been observed using Go-based loaders to push the FakeBat loader (also known as EugenLoader) and other information-stealing programs (such as Rhadamanthys) through decoy websites for popular software such as Notion and PuTTY.
