MacOS Targeted by Malicious Ads Spreading Stealer Malware

A new cyber security report has uncovered two ongoing info-stealing attacks – Atomic Stealer and Meethub, on macOS users
Hackers are using malvertising techniques to steal macOS passwords and crypto wallet credentials of victims

MacOS Targeted By Malicious Ads Spreading Stealer Malware

A cyber security firm, Jamf Threat Labs, has published a report uncovering two ongoing cyber attacks targeting macOS users.

The modus operandi of both these attacks are quite different. However, the end goal is the same – to steal sensitive private information, including passwords of macOS users.

Most of these attackers have been targeting crypto traders in an attempt to get their hands on their crypto wallet ID passwords.

Those in the [crypto] industry should be hyper-aware that it’s often easy to find public information that they are asset holders or can easily be tied to a company that puts them in this industry.

Atomic Stealer 

When you search for “Arc browser “on the Google search engine, you’ll see some sponsored links that seem legitimate on the face. However, on clicking this, users are redirected to a malicious site which prompts them to download the Arc Browser, which in reality is the Atomic Stealer.

Quite interestingly, this malicious website cannot be reached directly. Only when you click on the sponsored link appearing in Google search, will you be able to access the website.

Once inside your system, the Atomic Sealer runs an AppleScript payload to steal sensitive information. You will see a dialogue box prompting you to enter your macOS password (which you shouldn’t).

Meethub

Meathub is another ongoing infostealer macOS attack. Jamf Threat Labs observed an attempted execution of an unsigned executable with a mismatched application name and executable name, which raised suspicions.

Hackers lead victims to this site on the pretext of job offers or interviews for a possible podcast.

Further investigation led the team to a website called meethub[.]gg.

As the name suggests, Meethub appears to be an application to hold voice and video calls. On clicking the “try for free“ button on the platform, macOS users are prompted to download a 51-megabyte unsigned pkg.

Here’s how Meethub stealer works:

Just like Atomic Stealer, this particular stealer also uses an AppleScript call to prompt users for macOS login passwords.
Once the user enters the password, the application copies the user’s keychain.
After the keychain is unlocked, the hacker uses an open-source chainbreaker tool to collect passwords. The chain breaker tool is bundled with the downloaded application itself.

Apart from passwords, the stealer is also capable of swiping into credit card details and credentials of installed crypto wallets, such as Ledger and Trezor.

Besides this, Moonlock Lab, MacPaw’s cybersecurity division, has discovered that hackers have been using harmless-looking DMG files to deliver stealer malware to MacOS through obscured AppleScript and bash payload. As discussed above, AppleScript is then used to prompt users to enter their sensitive passwords.

Read more: FBI seizes website used to sell malware as a remote access tool

The Rising Trend of Malvertising

The rising trend of malvertising is a cause of concern for security experts worldwide. Malvertising is a new cyber hacking technique where malicious actors inject codes into innocent-looking ads.

When users click these ads, they end up installing malware into their system, which can be anything from viruses and Trojans to spyware and info-stealers like Atomic Stealer.

A report by Cyber Security Ventures estimates the cost of malvertising may reach $10.5 trillion by the end of 2025.
From every 100 published ads, at least one contains malicious code.

With these alarming trends, it is high time users exercise caution when dealing with unsolicited links and ads.

>>> Read full article>>>
Copyright for syndicated content belongs to the linked Source : TechReport – https://techreport.com/blog/macos-targeted-malicious-ads-spreading-stealer-malware/

Exit mobile version