New strain of malware stealing business data from Intel Macs

Malware called “MetaStealer” is being used by hackers to attack businesses and steal data from Intel-based Macs, including using techniques including posing as legitimate app installers.

Malware attacks on macOS continue to be a problem. The main reason attacks are successful is that users are tricked into opening executable files. A report describing a family of “infoware” macOS, called “MetaStealer”, security researchers explain how it works by tricking users into opening disk images.

MetaStealer attackers are targeting businesses using macOS systems, according to SentinelOne's Phil Stokes. By pretending to be fake clients, victims are socially engineered into running malware on their Macs.

Many samples provided by SentinelOne show that the disk image file containing the payload was often given names that might be of interest to business users. This ranges from presentation titles, “Concept A3 Complete Menu with Dishes and English Translations” and “Lucasprod Payment Contract and Confidentiality Agreement” [sic] to names of installers of Adobe products such as Photoshop.

Directly targeting business users is believed to be an unusual move for malware users, as it is typically distributed in bulk, such as through fake torrents.

The installation attempt is also made more difficult for hackers for a number of reasons. Because the disk image contains the minimal content that needs to exist beyond the payload, the file also tends to not include an Apple Developer ID line, or use a code signing or custom signature at all.

This creates an additional obstacle, namely that attackers have to somehow convince the potential victim to override Gatekeeper and OCSP. All collected samples are single-architecture Intel x86_64 binaries, so while they will be usable directly on Intel Macs, they will require the use of Rosetta to run on Apple Silicon Macs.

While users should be vigilant and cautious when opening questionable files sent by others or downloaded from unofficial sources, Apple has already introduced some protective measures. As part of the XProtect x2170 update, Apple is including a detection signature that affects some versions of MetaStealer.

SentinelOne has also published a list of indicators of compromise for use by enterprise IT and security teams, which are included below.

Indicators of compromise

MetaStealer Droppers

  • AdobeOfficialBriefDescription.dmg 00b92534af61a61923210bfc688c1b2a4fecb1bb
  • Adobe Photoshop 2023 (with AI) installer.dmg 51e8eaf98b77105b448f4a06 49d8f7c98ac8fc66
  • Technical specifications for advertising (MacOS presentation).dmg 4da5241119bf64d9a7ffc2710b3607817c8df2f
  • AnimatedPoster.dmg c2cd344fbcd2d356ab8231d4c0a994df20760e3e
  • CardGame.dmg 5ba3181df 05 3e35011e9ebcc5330034e9e895bfe
  • Contract for wages & confidentiality agreement Lucasprod.dmg dec16514cd256613128b93d340467117faca1534
  • FreyaVR 1.6.102.dmg d3fd59bd92ac03bccc11919d25d6bbfc85b440d3
  • Matrix.dmg 3 033c05eec7c7b98d175df2badd3378e5233b5a2
  • 345d6077bfb9c55e3d89b32c16e409c508626986
  • P7yersOfficialBriefDescription 1.0.dmg 35bfdb4ad20908ac85d00dcd7389a820f460db51
  • aa40f3f71039096830f2931ac5df2724b2c628ab
  • g e49c078b3c3f696d004f1a85d731cb9ef8c662f1
  • Brief presentation of YoungClass Mac 3161e6c88a4da5e09193b7aac9aa211a032526b9
  • YoungSUG(Cover references,tasks,logos, brief)YoungSUG_Official_Brief_Description_LucasProd.dmg 61c3f2f3a7521920ce2db9c9de31d7ce1df9dd44

Network communications – IP addresses

  • 13[.]114.196[.]60
  • 13[.]125.88[.]10

Network Communications – Domains

  • api.osx-mac[.]com
  • builder.osx-mac[.]com
  • db.osx-mac[.]com

Developer ID

  • Burigo Nathan (U5F3ZXR58U)

Mach-O binaries — Intel x86_64

  • 0edd4b81fa931604040d4c13f9571e01618a4c9c
  • 13249e30a9918168e79cdb0f097e4b34fbbd891f
  • 13bcebdb472174667 1e0cbffbeed1d6d92a0cf6c
  • 1424f9245a3325c513a09231168d548337ffd698
  • 148bc97ff873276666e0c114d22011ec042fb9b9
  • 15c377eb5a69f93fa833e845d793691a623f928c
  • 166ff1cd47a45e47721bb497b83cc84d8269b308
  • 1b3ce71fa42f4c0c16af1b8436fa43ac57d74 ce9
  • 1cc66e194401f2164ff1cbc8c07121475a570d9f
  • 1df31db0f3e5c381ad73488b4b5ac5552326baac
  • 1df8ff1fe464a0d9baaeead3c7158563a 6 0199d4
  • 1e5319969d6a53efc0ec1345414c62c810f95fce
  • 291011119bc2a777b33cc2b8de3d1509ed31b3da
  • 2c567a37c49af5bce4a236be5e060c33835132cf
  • 33a5043f8894a8525eeb2ba5d80aef80b2a85be8
  • 34c7977e20acc8e64139087bd16f0b0a881b04 4f
  • 3589dd0d01527ca4e8a2ec55159649083b0c50a8
  • 35c3b735949151aae28ebf16d24fb32c8bcd7e6b
  • 35e14d8375f625b04be43019ccb8be 5 7656b15cf
  • 394501f410bd9cb4f4432a32b17348cdde3d4157
  • 47620d2242dfaf14b7766562e812b7778a342a48
  • 57c2302c30955527293ed90bfaf627a41 32386fb
  • 65de53298958b4f137c4bd64f31f 550dd2199c36
  • 70625f621f91fd6b1a433a52e57474316e0df662
  • 78e8f9a93b56adc8e030 403ba5f10f527941f6ae
  • 80c83e659c63c963f 55c8add4bf62f9bec73d44e
  • 816fdf1fd9cf9aff2121d1b59c9cca38b5e4eb9d
  • 86eb7c6a4d4bec5abeb6b44e0506ab0d5a96235d
  • 8dfeda030bd3b3 8592b29d633c40e041d5f33 31d
  • 8ec57c1b1b5409cadb99b050c3c41460d4c7fea8
  • 8f211c0ef570382685d024cc8e6e8acd4a137545
  • 90d7f 8acf3524fcb58c7d7874a5b6e 8194689b1a
  • 92b178817a6c9ad22f10b52e9a35a925a3dc751b
  • a54c9906d41b04b9daf89c2e6eb4fdd54d0eae39
  • a8724eb5f9f8f4607b3 84154f0c398fce2 07259e
  • b51d7482d38dd19b2cb1cd303e39f8bddf5452ac
  • bd6b87c6f4f256fb2553627003e8bce58689d1d8
  • bdd4ce8c26 22ddcf0888e05690 c8b3d1a8c83dae
  • be1ac5ed5dfd295be15ba5ed9fbb69f10c8ec872
  • c37751372bb6c970ab5c447a1043c58ce49e10a5
  • c4d9272ef906c7bf4ccc2a11 a7107d6b7071537b
  • c5429b9b4d1a8e147f5918667732049f3bd55676
  • caf4fb1077cea9d75c8ae9d88817e66c870383b5
  • cf467ca23bdb8 1e008e7333456dfceb1e 69e9b8a
  • cfa56e10c8185792f8a9d1e6d9a7512177044a8b
  • d7de135a03a2124c6e0dfa831476e4069ebfba24
  • dbf0983b29a175ebbcf7132089e69b 3999adeca7
  • dfd5adb749cbc5608ca915afed826650fcb0 ff05
  • e5cfc40d04ea5b1dac2d67f8279c1fd5ecf053f6
  • f6f09ecc920eb694ed91e4ec158a1 5f1fb09f5dd
  • f93dd5e3504fe79f7fcd64b55145a619 7c84caa2
  • f97e22bad439d14c053966193fdfdec60b68b786
  • fce7a0c00bfed23d6d70b57395e2ec07 2c456cba

Leave a Reply

Your email address will not be published. Required fields are marked *