New strain of malware stealing business data from Intel Macs

Main image of the article 0 Facebook Twitter Reddit

Malware called “MetaStealer” is being used by hackers to attack businesses and steal data from Intel-based Macs, including using techniques including posing as legitimate app installers.

Malware attacks on macOS continue to be a problem. The main reason attacks are successful is that users are tricked into opening executable files. A report describing a family of “infoware” macOS, called “MetaStealer”, security researchers explain how it works by tricking users into opening disk images.

MetaStealer attackers are targeting businesses using macOS systems, according to SentinelOne's Phil Stokes. By pretending to be fake clients, victims are socially engineered into running malware on their Macs.

Many samples provided by SentinelOne show that the disk image file containing the payload was often given names that might be of interest to business users. This ranges from presentation titles, “Concept A3 Complete Menu with Dishes and English Translations” and “Lucasprod Payment Contract and Confidentiality Agreement” [sic] to names of installers of Adobe products such as Photoshop.

Directly targeting business users is believed to be an unusual move for malware users, as it is typically distributed in bulk, such as through fake torrents.

The installation attempt is also made more difficult for hackers for a number of reasons. Because the disk image contains the minimal content that needs to exist beyond the payload, the file also tends to not include an Apple Developer ID line, or use a code signing or custom signature at all.

This creates an additional obstacle, namely that attackers have to somehow convince the potential victim to override Gatekeeper and OCSP. All collected samples are single-architecture Intel x86_64 binaries, so while they will be usable directly on Intel Macs, they will require the use of Rosetta to run on Apple Silicon Macs.

While users should be vigilant and cautious when opening questionable files sent by others or downloaded from unofficial sources, Apple has already introduced some protective measures. As part of the XProtect x2170 update, Apple is including a detection signature that affects some versions of MetaStealer.

SentinelOne has also published a list of indicators of compromise for use by enterprise IT and security teams, which are included below.

Indicators of compromise

MetaStealer Droppers

AdobeOfficialBriefDescription.dmg 00b92534af61a61923210bfc688c1b2a4fecb1bb
Adobe Photoshop 2023 (with AI) installer.dmg 51e8eaf98b77105b448f4a06 49d8f7c98ac8fc66
Technical specifications for advertising (MacOS presentation).dmg 4da5241119bf64d9a7ffc2710b3607817c8df2f
AnimatedPoster.dmg c2cd344fbcd2d356ab8231d4c0a994df20760e3e
CardGame.dmg 5ba3181df 05 3e35011e9ebcc5330034e9e895bfe
Contract for wages & confidentiality agreement Lucasprod.dmg dec16514cd256613128b93d340467117faca1534
FreyaVR 1.6.102.dmg d3fd59bd92ac03bccc11919d25d6bbfc85b440d3
Matrix.dmg 3 033c05eec7c7b98d175df2badd3378e5233b5a2
OfficialBriefDescription.app.zip 345d6077bfb9c55e3d89b32c16e409c508626986
P7yersOfficialBriefDescription 1.0.dmg 35bfdb4ad20908ac85d00dcd7389a820f460db51
PDF.app.zip aa40f3f71039096830f2931ac5df2724b2c628ab
TradingView.dm g e49c078b3c3f696d004f1a85d731cb9ef8c662f1
Brief presentation of YoungClass Mac 20OS.zip 3161e6c88a4da5e09193b7aac9aa211a032526b9
YoungSUG(Cover references,tasks,logos, brief)YoungSUG_Official_Brief_Description_LucasProd.dmg 61c3f2f3a7521920ce2db9c9de31d7ce1df9dd44