Following the publication of new research by security firm Sentinel One, a new infostealer has been seen in the wild. Titled MetaStealer, not to be confused with another info-stealer, META, targets Intel-based MacOS systems.
Researchers noted that Apple’s XProtect will detect some instances of the new malware but not all, so extra precautions should be taken by businesses making use of Intel-based Macs.
The emergence of MetaStealer highlights a new trend of info stealers, malware capable of accessing and stealing sensitive information, targeting Macs in general.
According to Sentinel One’s research, MetaStealer is distributed in malicious application bundles in disk image format (.dmg). Based on the names given to the bundles by threat actors, it is clear that businesses are the primary target.
Filenames like "Advertising terms of reference (MacOS presentation).dmg", "CONCEPT A3 full menu with dishes and translations to English.dmg", "AnimatedPoster.dmg", and "Brief_Presentation-Task_Overview-(SOW)-PlayersClub.dmg" were seen in samples discovered by researchers.
Further, words like "Official Brief Description" such as "(Cover references,tasks,logos,brief)\YoungSUG_Official_Brief_Description_LucasProd.dmg", were also seen, and in other instances, bundles were designed to masquerade as Adobe files and software products.
This was not the only way used to lure victims; one victim posted to VirusTotal saying,
I was targeted by someone posing as a design client, and didn’t realize anything was out of the ordinary. The man I’d been negotiating with on the job this past week sent me a password protected zip file containing this DMG file, which I thought was a bit odd.
Against my better judgement I mounted the image to my computer to see its contents. It contained an app that was disguised as a PDF, which I did not open and is when I realized he was a scammer.
The targeting methods alluded to above are somewhat unusual for Mac-based malware. Typically, Mac-based malware is distributed via malicious pirated software packages related to business, productivity, or other popular software found on popular torrent sites.
Looking at the malware in more depth, researchers noted that the malware will not be able to run on newer M1 and M2 Macs as the samples discovered are single architecture Intel x86_64 binaries.
Disk images used to distribute the malware contain the absolute minimum requirement to form a bundle. That being an Info.plist file, a Resources folder containing an icon image, and a MacOS folder containing the malicious executable.
The researcher went on to note
Although we have seen some versions carrying an Apple Developer ID string embedded in the executable (Bourigaultn Nathan (U5F3ZXR58U)), none of the samples we observed attached a code signature or used ad hoc signing. This means that to gain execution, the threat actor would likely need to guide or persuade the victim to override protections such as Gatekeeper and OCSP.
The malware is written in Go and is obfuscated to try and prevent malware analysis. However, some signs of the binary’s tasking remain as artifacts. In particular, functions for exfiltrating the keychain, extracting saved passwords, and grabbing files could be identified. Some versions contain methods designed to target Telegram and Meta services.
MetaStealer and Atomic Stealer
Atomic Stealer, another Mac-based info stealer, features some similarities to MetaStealer. This could be evidence of a link between the two. Sentinel One researchers even noted that some versions of MetaStealer are also masquerading as TradingView.
Similarities include both being written in Go, but researchers were quick to point out,
However, despite both being Go-based infostealers that also use osascript to display error messages to the user on execution, we see little actual code overlap between MetaStealer and Atomic Stealer. We also note that the network infrastructure and observed method of delivery in MetaStealer campaigns are rather different to that seen in Atomic Stealer.
While a possible link cannot be ruled out, the differences in delivery method may prove that no such direct connection exists. Atomic Stealer is delivered via malvertising through Google Ads using a typosquatting technique to deliver a fake TradingView application.
Further, Atomic Stealer is sold via a telegram channel as a malware-as-a-service for 1000 USD per month and can grab account passwords, browser data, session cookies, and crypto-wallets.
These two Mac-based info stealers appear as part of a broader trend of threat actors targeting Apple’s macOS. MetaStealer stands out as being somewhat unique as it directly targets businesses and the data that is their lifeblood.
High-value data stored on business IT infrastructure can facilitate several other cyber-criminal activities beyond simple theft.
Some researchers have argued that Mac machines have fallen slightly behind in the cyber security arms race as both internal and external security tools often lack the visibility necessary to combat more advanced threats, thus providing threat actors ample exploitable opportunities.