VTA-004478 – Hackers Employ Malicious Ads to Target macOS Users with Stealer Malware

Malicious advertisements and fake websites are being used to distribute two distinct types of stealer malware, such as Atomic Stealer, which are aimed at Apple macOS users. The continuing infostealer attacks against macOS users might have employed various techniques to compromise victims’ Macs, but their ultimate objective remains the theft of sensitive data. A particular attack sequence aims at users searching for Arc Browser on search engines such as Google. It involves displaying fake ads that redirect users to imitation websites like “airci[.]net,” which then distribute the malware. Direct access to the malicious website is not possible, as it returns an error. Instead, it can only be accessed through a sponsored link that is generated. The disk image file obtained from the counterfeit website (“ArcSetup.dmg”) contains Atomic Stealer. This malware is notorious for tricking users into entering their system passwords through a fake prompt, ultimately leading to the theft of information. Researchers have also identified a fraudulent website called meethub[.]gg, which falsely promises a free group meeting scheduling software. However, this website actually installs a different stealer malware capable of harvesting users’ keychain data, credentials stored in web browsers, and information from cryptocurrency wallets. Similar to Atomic Stealer, this malware, which is said to be related to a Rust-based stealer family known as Realst, also tricks users into providing their macOS login password by using an AppleScript call to execute its malicious activities. These attacks using the malware have reportedly targeted victims by pretending to discuss job opportunities or interview them for a podcast. They then ask victims to download an app from meethub[.]gg to join a video conference mentioned in the meeting invitations.

Primarily, these attacks target individuals in the crypto industry, as successful breaches in this sector can yield significant payouts for the attackers. Researchers have revealed that threat actors are distributing malicious DMG files (“App_v1.0.4.dmg”) to deploy a stealer malware that is designed to extract credentials and data from various applications. This is achieved through the use of an obfuscated AppleScript and bash payload, which is fetched from an IP address located in Russia. Disguised as a harmless DMG file, the malware tricks users into installing it by using a phishing image that convinces them to bypass macOS’s Gatekeeper security feature. These findings highlight the growing threat of stealer attacks targeting macOS environments. Some strains of malware even employ sophisticated anti-virtualization techniques, such as activating a self-destructing kill switch, to evade detection.

Severity:
Medium

Attack Surfaces:
Cloud Service, Email, Endpoint OS, Others, Web Application

Tactics:
Credential Access, Discovery, Execution, Exfiltration, Initial Access, Reconnaissance

Technique:
T1140 – Deobfuscate/Decode Files or Information
T1056 – Input Capture

Indicator of Compromise:
https://otx.alienvault.com/pulse/660bdee4fbff08f066b24fb9

References:
1. https://www.jamf.com/blog/infostealers-pose-threat-to-macos/

SuperPRO’s Threat Countermeasures Procedures: 
1. Verify the URL before clicking to prevent accessing fraudulent websites.
2. Refrain from downloading content from sites that are not reliable.
3. Ensure that both hardware and software are regularly updated with the most recent security patch.
4. Install a reliable security software on devices.

Contributed by: Varrumen