Cyber Security Threat Summary:
A new strain of macOS malware is targeting enterprise users, as indicated by file names and content. Some versions of this malware, called MetaStealer, masquerade as Adobe files, while others use deceptive methods like password-protected ZIP files sent by fake clients. Once opened, these files reveal an app disguised as a PDF, “The files have been uploaded to VirusTotal, along with a comment from the uploader that they were contacted by someone pretending to be a client, who sent them a password-protected ZIP file containing that DMG file. Once opened, it would reveal an app disguised as a PDF” (HelpNetSecurity, 2023).
The MetaStealer bundles contain an obfuscated Go-based executable that can exfiltrate the macOS keychain, steal passwords, and files. Unusually, this malware specifically targets business users, deviating from the typical distribution via torrent sites or third-party software distributors. These malware samples are Intel x86_64 binaries and cannot run on Apple's M1 and M2 machines without Rosetta, “The applications inside the MetaStealer disk images contain the minimum required to form a valid macOS bundle, namely an Info.plist file, a Resources folder containing an icon image and a MacOS folder containing the malicious executable,” noted Phil Stokes, threat researcher at SentinelOne’’ (HelpNetSecurity, 2023).
Security Officer Comments:
As macOS devices gain popularity in enterprise environments, cybercriminals have turned their attention to developing macOS-specific malware. Some variants of MetaStealer, a malware strain, have been observed posing as TradingView, similar to another malware called Atomic Stealer. Both MetaStealer and Atomic Stealer are Go-based and use osascript to display error messages. However, researchers have not identified significant code, infrastructure, or delivery method similarities between them. This raises the possibility that different individuals or teams are employing similar techniques for separate objectives. This targeting of business users represents an unusual approach for macOS malware, which is typically distributed through torrent sites or suspicious third-party software distributors as cracked versions of popular software.
All Mac users are advised to ensure they have an adequate security solution in place and IT and security teams are encouraged to review the comprehensive list of IoCs below.
MetaStealer Droppers AdobeOfficialBriefDescription.dmg 00b92534af61a61923210bfc688c1b2a4fecb1bb
Adobe Photoshop 2023 (with AI) installer.dmg 51e8eaf98b77105b448f4a0649d8f7c98ac8fc66
Advertising terms of reference (MacOS presentation).dmg 14da5241119bf64d9a7ffc2710b3607817c8df2f
Conract for paymen & confidentiality agreement Lucasprod.dmg dec16514cd256613128b93d340467117faca1534
FreyaVR 1.6.102.dmg d3fd59bd92ac03bccc11919d25d6bbfc85b440d3
P7yersOfficialBriefDescription 1.0.dmg 35bfdb4ad20908ac85d00dcd7389a820f460db51
YoungClass brief presentation Mac 20OS.zip 3161e6c88a4da5e09193b7aac9aa211a032526b9
YoungSUG(Cover references,tasks,logos,brief)\YoungSUG_Official_Brief_Description_LucasProd.dmg 61c3f2f3a7521920ce2db9c9de31d7ce1df9dd44
Mach-O Binaries – Intel x86_64
(not showm - please contact us for more information)
Network Communications IPs 13[.]114.196[.]60 13[.]125.88[.]10
Domains api.osx-mac[.]com builder.osx-mac[.]com db.osx-mac[.]com
Cyber Security Threat Summary: