Malicious advertisements and counterfeit websites have become conduits for disseminating two distinct types of stealer malware, notably Atomic Stealer, targeting users of Apple's macOS operating system. Jamf Threat Labs has released a report highlighting ongoing attacks aimed at extracting sensitive data from macOS users. The attackers behind these campaigns employ diverse methods to compromise victims' Macs, stealing valuable information.

One attack vector involves redirecting users searching for Arc Browser to deceptive websites such as "airci[.]net" via fraudulent ads. Interestingly, these malicious websites cannot be directly accessed and instead require users to click on sponsored links, likely as a tactic to avoid detection. Once on these sites, users are prompted to download a disk image file named "ArcSetup.dmg," which contains the Atomic Stealer malware. This malware employs a fake prompt to trick users into entering their system passwords, ultimately facilitating the theft of sensitive data.

Another tactic identified by Jamf Threat Labs involves a fraudulent website called meethub[.]gg, which claims to offer free group meeting scheduling software. However, instead of legitimate software, users unwittingly install another stealer malware capable of harvesting various types of data, including keychain information and credentials stored in web browsers and cryptocurrency wallets. Similar to Atomic Stealer, this malware prompts users to enter their macOS login password using an AppleScript call.

Victims of these attacks are often targeted under pretenses, such as job opportunities or podcast interviews, with attackers instructing them to download an application from meethub[.]gg. Additionally, Moonlock Lab, the cybersecurity division of MacPaw, has identified the use of malicious DMG files ("App_v1.0.4.dmg") to deploy stealer malware designed to extract credentials and data from various applications. These files utilize obfuscated AppleScript and bash payloads, retrieved from a Russian IP address, to deceive users into providing their system passwords.

These findings underscore the growing threat of stealer attacks targeting macOS environments, with certain strains employing sophisticated anti-virtualization techniques to evade detection. Recent malvertising campaigns have further exacerbated the situation, with the distribution of FakeBat loader and other information stealers like Rhadamanthys via decoy sites for popular software. As such, users of macOS systems must remain vigilant against these evolving threats and take proactive measures to safeguard their sensitive information.

Source: https://thehackernews.com/2024/03/hackers-target-macos-users-with.html