New Infostealing MetaStealer Malware Targets Macs

A new information-stealing malware, named MetaStealer, has shifted its focus to Apple's macOS, adding to the growing list of information-stealing malware families that specifically target this operating system. Prior to MetaStealer, we saw the emergence of Stealer, Pureland, Atomic Stealer, and Realst, all concentrating on macOS.

According to a recent analysis by SentinelOne security researcher Phil Stokes, threat actors are actively directing their efforts towards macOS businesses. They do so by posing as counterfeit clients to manipulate victims into executing malicious actions.

MetaStealer Goes After Businesses

In these attacks, MetaStealer is disseminated in the form of deceptive application bundles packaged in the disk image format (DMG). Threat actors engage with targets by pretending to be potential design clients and sharing password-protected ZIP archives containing the DMG files.

In some instances, the malware has also disguised itself as Adobe files or Adobe Photoshop installers. The evidence collected suggests that MetaStealer artifacts first appeared in the wild in March 2023, with the most recent sample being uploaded to VirusTotal on August 27, 2023.

Stokes noted that this specific targeting of business users is somewhat unusual for macOS malware. Typically, macOS malware is found distributed through torrent sites or dubious third-party software distributors in the form of cracked versions of popular business or productivity software.

The primary component of the payload is an obfuscated executable based on the Go programming language. This executable is equipped with functions to extract data from iCloud Keychain, saved passwords, and files located on the compromised host. Some versions of the malware appear to have functionalities that likely target Telegram and Meta services.

SentinelOne observed that some MetaStealer variants employ the tactic of impersonating TradingView, which was also recently used by Atomic Stealer. This raises two possibilities: either the same malware authors are behind both malware families, with different threat actors adopting them due to variations in the delivery method, or distinct groups of threat actors are responsible for these attacks.

The emergence of yet another information-stealing malware targeting macOS users in 2023 underscores the increasing popularity of targeting Mac users for their data among threat actors. What distinguishes MetaStealer from other recent malware is its clear focus on business users and the objective of extracting valuable keychain and other information from these targets. Such valuable data can be exploited for further cybercriminal activities or to gain access to larger business networks.