Pierluigi Paganini
April 01, 2024
Jamf Threat Labs researchers analyzed info stealer malware attacks targeting macOS users via malicious ads and rogue websites.
One of the attacks spotted by the researchers relied on sponsored ads proposed to the users while searching for “Arc Browser” on Google. The search engine proposed a malicious site aricl[.]net that imitates the legitimate arc.net.
Reddit users also described the malicious ads in a discussion. The researchers noticed that the malicious website can only be visited through a generated sponsored link; otherwise, it returns an error. This technique allows for evasion of detection.
The malicious site includes a link to download Arc for macOS. Sometimes, the sponsored link would also direct us to an identical malicious website (airci[.]net).
The disk image file (DMG) downloaded from the site is signed ad-hoc and provides instructions to right-click the app and select open thus overriding any Gatekeeper warnings.
“Similar to previous variants of Atomic stealer, it contains minimal strings as most of them are xor encoded to avoid detection which is a common technique for evading static signatures.” reads the report published by Jamf Threat Labs.
“This variant of Atomic stealer will call a function named bewta(), which de-xors various bytes with the hardcoded xor key 0x91.”
Jamf also spotted another attack that used a malicious website named meethub[.]gg that claims to offer virtual meeting software for the call.
The scammer sent direct messages to the victims, they posed as harmless individuals hoping to schedule a meeting. In one case, to discuss recording a podcast with the victim and in the other, to discuss a job opportunity. The attackers instructed the victims to use Meethub as the virtual meeting software for the call.
In this case, the malware served to the victims allows scammers to steal login credentials from the browser, capture credit card details, steal data from a list of installed crypto wallets, including Ledger and Trezor.
“Although unconfirmed to be directly related, there are a number of interesting similarities between this stealer and the stealer originally documented as Realst stealer.” continues the report. “Both share a handful of features, such as the chosen language of Rust for the main executable, the use of chainbreaker, and the fact that the chainbreaker machO hash can be seen within a number of video game-like pkgs — an approach used by Realst — that have been uploaded to VirusTotal and identified as malicious.”
The report published by the researchers details two of the numerous infostealer attacks against macOS users over the last year. Most of the attacks primarily targets individuals involved in the cryptocurrency industry, promising substantial gains for the perpetrators
The report includes indicators of compromise (IoCs) for the attacks analyzed by the researchers.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, info stealer malware)
