Hackers Attack on macOS Users Using Malicious Ads Increasing Stealer Malware

Malicious advertisements and phony websites are used to spread two types of stealer malware. One of these malware is -  Atomic Stealer, which targets Apple macOS users.

Jamf Threat Labs claimed in a research published Friday, “The continuous infostealer assaults targeted macOS users. In reality, it may have used different tactics to hack the Macs of victims. But, the matter of surprise is that they all aim to steal confidential information.”

One such attack chain targets people who seek Arc Browser on search engines. These search engines are-  Google and many more. The best part is that such an engine serves false adverts that drive them to look like sites ("airci[.]net") that host the malware.

Security experts Jaron Bradley, Ferdous Saljooki, and Maggie Zirnhelt explained, "Interestingly, the malicious website cannot be accessed directly, as it returns an error. It can only be accessed through a generated sponsored link, presumably to evade detection."

The disk image file that was obtained from the fraudulent website namely- "ArcSetup.dmg" contains Atomic Stealer. Actually, it is known to ask users to input their system credentials via a bogus prompt. As an outcome, it facilitates information theft.

Jamf also uncovered a bogus website called meethub[.]gg. It purports to provide free group meeting scheduling software. But, in reality, it installs stealer malware capable of capturing users' keychain data. Besides, it also saved passwords in web browsers and information from cryptocurrency wallets.

Similar to Atomic Stealer, the virus is claimed to overlap with the Realst Stealer family built on Rust. It requests the user for their macOS login password. It is the way to prevent carrying out its harmful acts via an AppleScript call.

Attackers who prefer to use this malware, approach victims to discuss career prospects and interview them for a podcast. Apart from this, it makes it possible for victims not to request to download an app from meethub[.]gg. Furthermore, this is the way to prevent them from participating in a video conference supplied in the meeting invitations.

The authors of the study noted, "These attacks are often focused on those in the crypto industry as such efforts can lead to large payouts for attackers. Those in the industry should be hyper-aware that it's often easy to find public information that they are asset holders or can easily be tied to a company that puts them in this industry."

The news comes from MacPaw's cybersecurity subsidiary Moonlock Lab. It revealed that threat actors are using malicious DMG files ("App_v1.0.4.dmg"). Users also came to know about the purpose of spreading stealer malware. The main purpose of doing so was to take passwords and data from a variety of apps.

This is performed through the use of an obfuscated AppleScript and bash payload. In reality, they were obtained from a Russian IP address. AppleScript is used to create a fake prompt and to deceive users into supplying system credentials.

Security researcher Mykhailo Hrebeniuk stated, "Disguised as a harmless DMG file, it tricks the user into installation via a phishing image, persuading the user to bypass macOS's Gatekeeper security feature.”

The findings also indicate that macOS environments are more vulnerable to stealer assaults. In the meantime, some strains even employ advanced anti-virtualization strategies. These strategies are - such as triggering a self-destructing kill switch to avoid detection.

Malvertising efforts have recently been spotted spreading the FakeBat loader also known as “EugenLoader”. Last but not least, you must know that the information stealers namely - Rhadamanthys via a Go-based loader through decoy sites for popular applications such as Notion and PuTTY.