A new information-stealing malware called MetaStealer has turned its attention to Apple macOS, becoming the latest in a growing list of stealer families focused on the operating system, following Stealer, PureLand, Atomic Stealer and Realst.
“Threat actors are actively targeting macOS businesses by impersonating victims to launch malicious payloads,” SentinelOne security researcher Phil Stokes said in a Monday analysis.
In these attacks, MetaStealer is distributed in the form of rogue application bundles in the disk image format (DMG), with targets approached through threat actors posing as prospective design clients in order to share a password-protected ZIP archive containing the DMG file.
Other examples include malware in the form of Adobe files or installers for Adobe Photoshop. Evidence collected so far suggests that metastellar artifacts began appearing in the wild in March 2023. The most recent sample was uploaded to VirusTotal on August 27, 2023.
“This specific targeting of business users is somewhat unusual for macOS malware, which is more commonly found being distributed via torrent sites or suspicious third-party software distributors as cracked versions of business, productivity or other popular software,” Stokes said.
The main component of the payload is an obscure Go-based executable that comes with features to collect iCloud Keychain, saved passwords, and files from compromised hosts.
Select variants of the malware have been observed that include functions that potentially target Telegram and Meta services.
SentinelOne said it has seen some MetaStealer variants impersonating TradingView, the same strategy that has been adopted by Atomic Stealer in recent weeks.
This raises two possibilities: either the same malware author may be behind both secret families and have been adopted by different threat actors due to differences in delivery mechanisms, or they are the work of different groups of actors.
“The appearance of another macOS infostealer this year shows that the trend of targeting Mac users for their data is growing in popularity among threat actors,” Stokes said.
“What makes MetaStealer notable among this series of recent malware is its explicit targeting of business users and its aim to exfiltrate valuable key chains and other information from these targets. Such high-value data could be used “to further cybercriminal activity or gain a foothold in larger business networks.”
