New Infostealing MetaStealer Malware Targets Macs

DarkGate Cryptocurrency Miner Password Stealer

A new information-stealing malware, named MetaStealer, has shifted its focus to Apple's macOS, adding to the growing list of information-stealing malware families that specifically target this operating system. Prior to MetaStealer, we saw the emergence of Stealer, Pureland, Atomic Stealer, and Realst, all concentrating on macOS.

According to a recent analysis by SentinelOne security researcher Phil Stokes, threat actors are actively directing their efforts towards macOS businesses. They do so by posing as counterfeit clients to manipulate victims into executing malicious actions.

MetaStealer Goes After Businesses

In these attacks, MetaStealer is disseminated in the form of deceptive application bundles packaged in the disk image format (DMG). Threat actors engage with targets by pretending to be potential design clients and sharing password-protected ZIP archives containing the DMG files.

In some instances, the malware has also disguised itself as Adobe files or Adobe Photoshop installers. The evidence collected suggests that MetaStealer artifacts first appeared in the wild in March 2023, with the most recent sample being uploaded to VirusTotal on August 27, 2023.

Stokes noted that this specific targeting of business users is somewhat unusual for macOS malware. Typically, macOS malware is found distributed through torrent sites or dubious third-party software distributors in the form of cracked versions of popular business or productivity software.

The primary component of the payload is an obfuscated executable based on the Go programming language. This executable is equipped with functions to extract data from iCloud Keychain, saved passwords, and files located on the compromised host. Some versions of the malware appear to have functionalities that likely target Telegram and Meta services.

SentinelOne observed that some MetaStealer variants employ the tactic of impersonating TradingView, which was also recently used by Atomic Stealer. This raises two possibilities: either the same malware authors are behind both malware families, with different threat actors adopting them due to variations in the delivery method, or distinct groups of threat actors are responsible for these attacks.

The emergence of yet another information-stealing malware targeting macOS users in 2023 underscores the increasing popularity of targeting Mac users for their data among threat actors. What distinguishes MetaStealer from other recent malware is its clear focus on business users and the objective of extracting valuable keychain and other information from these targets. Such valuable data can be exploited for further cybercriminal activities or to gain access to larger business networks.

September 12, 2023

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.