MetaStealer Malware is Targeting Enterprise macOS Users

Cyber Security Threat Summary:
A new strain of macOS malware is targeting enterprise users, as indicated by file names and content. Some versions of this malware, called MetaStealer, masquerade as Adobe files, while others use deceptive methods like password-protected ZIP files sent by fake clients. Once opened, these files reveal an app disguised as a PDF, “The files have been uploaded to VirusTotal, along with a comment from the uploader that they were contacted by someone pretending to be a client, who sent them a password-protected ZIP file containing that DMG file. Once opened, it would reveal an app disguised as a PDF” (HelpNetSecurity, 2023).

The MetaStealer bundles contain an obfuscated Go-based executable that can exfiltrate the macOS keychain, steal passwords, and files. Unusually, this malware specifically targets business users, deviating from the typical distribution via torrent sites or third-party software distributors. These malware samples are Intel x86_64 binaries and cannot run on Apple's M1 and M2 machines without Rosetta, “The applications inside the MetaStealer disk images contain the minimum required to form a valid macOS bundle, namely an Info.plist file, a Resources folder containing an icon image and a MacOS folder containing the malicious executable,” noted Phil Stokes, threat researcher at SentinelOne’’ (HelpNetSecurity, 2023).

Security Officer Comments:
As macOS devices gain popularity in enterprise environments, cybercriminals have turned their attention to developing macOS-specific malware. Some variants of MetaStealer, a malware strain, have been observed posing as TradingView, similar to another malware called Atomic Stealer. Both MetaStealer and Atomic Stealer are Go-based and use osascript to display error messages. However, researchers have not identified significant code, infrastructure, or delivery method similarities between them. This raises the possibility that different individuals or teams are employing similar techniques for separate objectives. This targeting of business users represents an unusual approach for macOS malware, which is typically distributed through torrent sites or suspicious third-party software distributors as cracked versions of popular software.

Suggested Correction(s):
All Mac users are advised to ensure they have an adequate security solution in place and IT and security teams are encouraged to review the comprehensive list of IoCs below.

MetaStealer Droppers AdobeOfficialBriefDescription.dmg 00b92534af61a61923210bfc688c1b2a4fecb1bb

Adobe Photoshop 2023 (with AI) installer.dmg 51e8eaf98b77105b448f4a0649d8f7c98ac8fc66

Advertising terms of reference (MacOS presentation).dmg 14da5241119bf64d9a7ffc2710b3607817c8df2f

AnimatedPoster.dmg c2cd344fbcd2d356ab8231d4c0a994df20760e3e

CardGame.dmg 5ba3181df053e35011e9ebcc5330034e9e895bfe

Conract for paymen & confidentiality agreement Lucasprod.dmg dec16514cd256613128b93d340467117faca1534

FreyaVR 1.6.102.dmg d3fd59bd92ac03bccc11919d25d6bbfc85b440d3

Matrix.dmg 3033c05eec7c7b98d175df2badd3378e5233b5a2 345d6077bfb9c55e3d89b32c16e409c508626986

P7yersOfficialBriefDescription 1.0.dmg 35bfdb4ad20908ac85d00dcd7389a820f460db51 aa40f3f71039096830f2931ac5df2724b2c628ab

TradingView.dmg e49c078b3c3f696d004f1a85d731cb9ef8c662f1

YoungClass brief presentation Mac 3161e6c88a4da5e09193b7aac9aa211a032526b9

YoungSUG(Cover references,tasks,logos,brief)\YoungSUG_Official_Brief_Description_LucasProd.dmg 61c3f2f3a7521920ce2db9c9de31d7ce1df9dd44

Mach-O Binaries – Intel x86_64
(not showm - please contact us for more information)

Network Communications IPs 13[.]114.196[.]60 13[.]125.88[.]10

Domains api.osx-mac[.]com builder.osx-mac[.]com db.osx-mac[.]com