Jamf Threat Labs has released a new report on infostealer malware targeting macOS users. The report details two malware attacks; the first is a new implementation of the Atomic Stealer malware, while the second involves an attack in an online communication tool. Both attacks steal a user’s sensitive information, such as account usernames and passwords, as well as data from crypto wallets.
Updated 04/01/24 at 11:00 a.m. PT: Jamf responded to our inquiry regarding the Meethub app in the App Store: “We currently have no reason to believe that the Meethub apps on Google Play and the Apple App Store are malicious. » The Meethub section of this article has been updated.
Atomic Stealer was first reported about a year ago, distributed via unsigned disk image (.dmg) files when a user downloads an application. Jamf Threat Labs reports that Atomic Stealer is now distributed via a sponsored link on Google when searching for “Arc Browser.” Arc Browser is a legitimate free browser from The Browser Company whose website is located at arc.net.
However, the sponsored ad that a Google user may see leads the user to aricl Or aired sharp point instead of the current Arc Browser website. If the user continues to download what they think is the browser installer, they are prompted to run the installer by tapping the ic on and selecting Open. This is macOS’s way of bypassing Gatekeeper, which typically provides a warning about possible malicious software and instances. of unsigned installers, stops the installation.
Once Atomic Stealer is installed, a prompt appears stating that system settings need to be updated before the application – which the user thinks is Arc Browser – can run. The user is prompted to enter the account password, allowing the malware to access the keychain data, which is sent to the attacker’s server.
As of this writing, it appears that the malicious websites have been reported to the hosting service and have been removed. Going to aricl or airci dot net results in a web page with the logo of FastPanel, a server management tool provided by web hosting services. It is unclear whether Google has stopped serving the malvertising.
Meethub malware
Jamf Threat Labs also reports attack involving online meeting software on meethub dot gg. An attacker reaches a target and asks to use Meethub, which the user downloads. As with downloading Atomic Stealer Arc, the user is prompted to use Control-click > Open to install the software and bypass Gatekeeper.
After installation, the user is prompted to enter their account password, which allows the malware to access keychain and crypto wallet data. The data is then sent to the attacker’s server.
Jamf’s report on Meethub involves software downloaded from the web, but there is a Meethub app in the App Store that works on iPhones and M-series Macs (and a Meethub app is in the Google Play Store) . In response to igamesnews’s inquiry on the matter, Jamf responded: “We currently have no reason to believe that the Meethub apps on Google Play and the Apple App Store are malicious. »
How to avoid new infostealer attacks
Apple’s Gatekeeper feature prevents users from running unsigned software installers. When a user double-clicks an installer, Gatekeeper checks the certificate issued by Apple to the developers; the certificate tells Apple who the developer is and whether it is blacklisted, and whether the software has been tampered with since it left the developer for distribution. Users can bypass Gatekeeper warnings by control-clicking an installer and selecting Open from the context menu. If this method is required by the software developer, that’s a red flag.
Apple releases security patches through operating system updates, so it’s important to install them as soon as possible. And as always, when downloading software, get it from trusted sources, like the App Store (which does security checks on its software) or directly from the developer. igamesnews has several guides to help you, including a guide on whether or not you need antivirus software, a list of Mac viruses, malware, and Trojans, and a comparison of Mac security software.
