Jamf Threat Labs, a division of Jamf, has released findings from its research on the rising threat of infostealers targeting macOS users, particularly those involved in the cryptocurrency industry. The study highlights a creative evolution in the tactics used by attackers to exploit vulnerabilities and steal sensitive data.
According to the research, there have been two notable attacks that resulted in the deployment of such stealers on victims' systems. The first attack, known as Atomic Stealer, was spread through sponsored ads on Google, leading unsuspecting users to a malicious site that imitates the legitimate Arc web browser. The malware, signed ad-hoc, prompts users to bypass Gatekeeper warnings and employs various techniques to avoid detection, including xor encoding.
The Atomic Stealer functions by executing AppleScript payloads for information stealing and can even prompt users for their macOS passwords to dump plaintext passwords from the keychain. The malware then sends a POST request to the attacker's server, containing a base64 encoded zip file of exfiltrated data.
The second attack, referred to as Meethub, involved the execution of an unsigned executable with a known bad hash. The Meethub app, which presents itself as virtual meeting software, is downloaded from a website that provides instructions on how to bypass Gatekeeper prompts. The app's main binary executes reconnaissance commands and prompts the user for their macOS login password, which is then used to copy and dump data from the keychain. The infostealer also collects usernames, passwords, credit card details, and data from installed crypto wallets, sending updates to the attacker's server at various stages of compromise.
"These attacks are often focused on those in the crypto industry as such efforts can lead to large payouts for attackers," said a spokesperson from Jamf Threat Labs. "Social engineering for the sake of crypto gain is being done by both APT groups and cybercriminals. Building rapport before infiltrating is happening more frequently on the macOS platform."
The report concludes that macOS users, particularly those involved in the cryptocurrency industry, need to remain vigilant and on alert for these types of attacks. The infostealers observed by Jamf Threat Labs highlight the importance of being cautious when downloading software and being aware of the tactics used by attackers to gain access to sensitive information.