MetaStealer malware targets Apple macOS in recent attacks
A new information-stealing malware called MetaStealer has set its sights on Apple macOS, making up the latest in a growing list of OS-focused thief families after Stealer, Pureland, Atomic Stealer and Realst.
“Malicious actors are proactively targeting macOS businesses by posing as fake customers to socially trick their victims into launching malicious payloads,” Phil Stokes, security researcher at SentinelOne. said in a Monday analysis.
In these attacks, MetaStealer is distributed as malicious application bundles in disk image format (DMG), with targets approached by malicious actors posing as potential design clients to share a ZIP archive password protected file containing the DMG file.
Other cases involve malware masquerading as Adobe files or Adobe Photoshop installers. Evidence collected so far shows that MetaStealer artifacts began appearing in the wild in March 2023. The most recent sample was uploaded to VirusTotal on August 27, 2023.
“This specific targeting of business users is somewhat unusual for macOS malware, which is more often distributed via torrent sites or suspicious third-party software distributors as cracked versions of commercial, productivity, or other popular software “Stokes said.
The main component of the payload is an obfuscated Go-based executable with functionality to harvest data from iCloud Keychain, saved passwords, and files from the compromised host.
Some versions of the malware have been observed containing functions that could target Telegram and Meta services.
SentinelOne said it has observed some variants of MetaStealer masquerading as TradingView, the same tactic that has been adopted by Atomic Stealer in recent weeks.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
MFA achieved? WFP? Service account protection? Find out how equipped your organization really is against identity threats
This raises two possibilities: either the same malware authors could be behind both thief families and were adopted by different threat actors due to differences in the delivery mechanism, or they are the work of disparate sets of actors.
“The emergence of another macOS information stealer this year shows that the trend of targeting Mac users for their data continues to gain popularity among threat actors,” Stokes said.
“What sets MetaStealer apart among this generation of recent malware is the clear targeting of business users and the goal of exfiltrating valuable keychains and other information from those targets. This high-value data can be used to pursue other cybercriminal activities or gain a foothold in a larger business network.
