There’s no avoiding it: There’s malware out there for the Mac, and you have to be careful.
That being said, groups of hackers have begun using fake software updates to distribute malware. Researchers have identified two new threat actors, TA2726 and TA2727, who are using web injection campaigns to deliver malware. The updates are often designed as web browser updates and include a newly discovered macOS malware called FrigidStealer.
According to Proofpoint, the team behind the discovery, FrigidStealer malwareFrigidStealer is a new information-stealing malware specifically aimed at macOS. The malware is delivered through compromised websites, which present fake browser update prompts to visitors. If a Mac user clicks the “Update” button, they unknowingly download a malicious DMG file. Code snippet for macOS operations involving Safari, file paths, and desktop file management with specific extensions and conditions.
Once installed, FrigidStealer uses both AppleScript and osascript elements to collect sensitive data, including browser cookies, cryptocurrency-related files, and even Apple Notes. Although locked notes in Apple Notes are end-to-end encrypted, any unlocked notes or those stored as plain files in the Desktop or Documents folders might be vulnerable. The stolen data is then relayed to a command-and-control server at askforupdate[.]org and TA2726’s TDS redirects them to a malicious domain controlled by TA2727.
From there, the server will send the user fake prompts depending on the user’s device and web browser. For Mac users, the malware might appear as a legitimate Google Chrome or Safari update. When the “Update” button is clicked, the malicious DMG file is downloaded, and the installation process prompts the user to bypass macOS Gatekeeper security. FrigidStealer will then run a Mach-O executable built with WailsIO, which makes the fake installer appear authentic. The malware can then extract sensitive data, sending it to its server, and completing the attack.
As always, the best way to stay safe is to avoid fake update scams and be wary of unexpected update prompts, especially if they surface while browsing the web. Avoid clicking on pop-ups and going directly to the official website or open the app’s built-in update function to ensure you get legitimate software. Finally, keeping your security software up to date to help detect and block potential threats.
Be careful out there and stay tuned for additional details as they become available.
Via AppleInsider and Proofpoint