Reports reveal a surge in malicious ad campaigns targeting Apple macOS users, unleashing two distinct strains of stealer malware, notably Atomic Stealer, in a bid to pilfer sensitive data.
Recent investigations by Jamf Threat Labs have unveiled a concerning trend of infostealer attacks specifically aimed at macOS users. These attacks employ various tactics to infiltrate Mac systems, all with the singular aim of exfiltrating critical information.
One such attack vector involves the deceptive use of ads masquerading as legitimate sources, particularly targeting users searching for the Arc Browser. Upon clicking on these ads, unsuspecting users are redirected to counterfeit websites like “airci[.]net,” serving as a gateway for malware dissemination.
Security analysts Jaron Bradley, Ferdous Saljooki, and Maggie Zirnhelt noted, “Interestingly, the malicious website cannot be accessed directly, as it returns an error. It can only be accessed through a generated sponsored link, presumably to evade detection.”
The malware, packaged within a disk image file titled “ArcSetup.dmg,” deploys Atomic Stealer, known for its tactic of coaxing users into entering their system passwords through deceptive prompts, ultimately facilitating data theft.
In a parallel scheme, the researchers uncovered a fake website named meethub[.]gg, posing as a platform offering free group meeting scheduling software. However, it surreptitiously installs another variant of stealer malware capable of harvesting keychain data, browser-stored credentials, and cryptocurrency wallet information.
Similar to Atomic Stealer, this malware, believed to be linked to the Realst stealer family, prompts users for their macOS login passwords using an AppleScript call to execute its malicious operations.
The attackers have been observed luring victims with promises of job opportunities and podcast interviews, subsequently directing them to download an application from meethub[.]gg to join video conferences purportedly offered in meeting invitations.
“The crypto industry remains a prime target for these attacks, given the potential for substantial gains,” remarked the researchers. “Professionals in this sector should exercise heightened vigilance, given the ease with which attackers can gather public information linking individuals to valuable assets.”
Meanwhile, Moonlock Lab, a cybersecurity division of MacPaw, has uncovered another tactic wherein threat actors deploy malicious DMG files (“App_v1.0.4.dmg”) to distribute stealer malware, leveraging obfuscated AppleScript and bash payloads sourced from a Russian IP address.
“This disguised DMG file capitalizes on phishing tactics, persuading users to bypass macOS’s Gatekeeper security feature,” explained security researcher Mykhailo Hrebeniuk.
These revelations underscore the escalating threat landscape faced by macOS users, with some strains of malware employing sophisticated anti-virtualization techniques, including self-destructing kill switches, to evade detection.
Recent malvertising campaigns have further exacerbated the risk, disseminating loaders like FakeBat (aka EugenLoader) and information stealers such as Rhadamanthys via decoy sites mimicking popular software platforms like Notion and PuTTY.
Found this news interesting? Follow us on Twitter and Telegram to read more exclusive content we post.