MacOS Info-Stealing Attacks with Ad Scams & Fake Apps

Two information-stealing malware campaigns targeting macOS users are unveiled by researchers at Jamf Threat Labs. In one of the two attacks, attackers specifically target a victim's cryptocurrency wallet, indicating a focus on individuals associated with cryptocurrency. These attacks leverage impersonations of legitimate sites and software to achieve data exfiltration objectives.

The first attack distributes Atomic Stealer, and leverages sponsored ads to deceitfully redirect users to a malicious site posing as the legitimate Arc web browser. A successful infection of the Atomic Stealer results in the compromise of documents that could contain sensitive personal, financial, or login information, which includes user credentials, browser cookies, and files. The malware employs a technique of asking users directly for their macOS password under a fabricated pretext, enabling access to the keychain and subsequent data theft. Jamf researchers note, "Dumping plain text passwords out of the keychain requires the user’s macOS password. Infostealer developers have long caught on to the fact that the easiest way to get this password is to simply ask the user for it. We see a prompt generated via a call to AppleScript."

The second attack involves an unsigned application masquerading as the "Meethub" collaboration and meeting software, tricking victims into installing an information-stealer. Scammers directly contacted victims with proposals for meetings, "In one case, to discuss recording a podcast with the victim and in the other, to discuss a job opportunity. Both profiles showed heavy involvement in Crypto and Blockchain," according to Jamf. The stealer executes once the user agrees and seeks the user’s macOS login password under the guise of normal application behavior. Once the password is obtained, it accesses the user’s keychain using the chainbreaker tool, an open-source forensics utility designed for extracting data from the Mac OSX keychain. This attack targets and extracts sensitive data, including usernames, passwords, browser history, credit card details, and information from crypto wallets such as Ledger and Trezor.

From masquerading as legitimate advertisements to creating counterfeit software, these tactics emphasize the critical need for macOS users, particularly those in the crypto industry, to stay alert to the rising number of attacks on this platform. With macOS adoption expanding in the enterprise sector and its growing popularity, attackers and adversaries naturally gravitate towards the enlarging pool of potential victims. Supporting evidence of the increasing threats to the macOS platform includes research by Patrick Wardle, which identified 21 new malware families in 2023 alone. Notable among these is the development of a macOS variant by LockBit and a ransomware variant known as Turtle.