Malware referred to as “MetaStealer” is being utilized by hackers to assault companies and to steal information from Intel-based Macs, with strategies together with posing as professional app installers.
Malware assaults in opposition to macOS proceed to be an issue, with customers being coerced into opening executables being the principle motive the assaults are profitable. In a report detailing a household of macOS “infostealers” known as “MetaStealer,” safety researchers clarify the way it works by tricking customers into opening disk photographs.
In line with Phil Stokes of SentinelOne, MetaStealer attackers are concentrating on companies working macOS techniques. By pretending to be pretend purchasers, victims are socially engineered into working the malicious payloads on their Mac.
Many samples provided to SentinelOne reveal that the disk picture file holding the payload was usually given names that may very well be of curiosity to enterprise customers. This ranges from names for displays, a “Idea A3 full menu with dishes and translations to English,” and “Conract for paymen & confidentiality settlement Lucasprod” [sic], to the names of installers for Adobe merchandise like Photoshop.
It’s believed that concentrating on enterprise customers straight is an uncommon transfer for malware customers, as it’s sometimes distributed in mass methods, reminiscent of in pretend torrents.
The hassle to realize an set up can be made more durable for hackers by quite a lot of methods. Because the disk picture incorporates the naked minimal content material to exist past the payload, the file additionally tends to not embody an Apple Developer ID string, nor use code signing in any respect, nor ad-hoc signing.
These create further obstacles, particularly that attackers should someway persuade the would-be sufferer to override Gatekeeper and OCSP. All the collected samples are single-architecture Intel x86_64 binaries, so whereas they might be usable on Intel Macs straight, they would wish to make use of Rosetta to run on Apple Silicon Macs.
Whereas customers needs to be vigilant and use warning when opening questionable recordsdata despatched by others, or downloaded from unofficial sources, Apple has already launched some protecting measures. As a part of XProtect replace x2170, Apple features a detection signature that impacts some variations of MetaStealer.
SentinelOne has additionally launched an inventory of Indicators of Compromise, supposed to be used by IT and safety groups working for enterprise, which follows beneath.
Indicators of Compromise
MetaStealer Droppers
- AdobeOfficialBriefDescription.dmg 00b92534af61a61923210bfc688c1b2a4fecb1bb
- Adobe Photoshop 2023 (with AI) installer.dmg 51e8eaf98b77105b448f4a0649d8f7c98ac8fc66
- Promoting phrases of reference (MacOS presentation).dmg 4da5241119bf64d9a7ffc2710b3607817c8df2f
- AnimatedPoster.dmg c2cd344fbcd2d356ab8231d4c0a994df20760e3e
- CardGame.dmg 5ba3181df053e35011e9ebcc5330034e9e895bfe
- Conract for paymen & confidentiality settlement Lucasprod.dmg dec16514cd256613128b93d340467117faca1534
- FreyaVR 1.6.102.dmg d3fd59bd92ac03bccc11919d25d6bbfc85b440d3
- Matrix.dmg 3033c05eec7c7b98d175df2badd3378e5233b5a2
- OfficialBriefDescription.app.zip 345d6077bfb9c55e3d89b32c16e409c508626986
- P7yersOfficialBriefDescription 1.0.dmg 35bfdb4ad20908ac85d00dcd7389a820f460db51
- PDF.app.zip aa40f3f71039096830f2931ac5df2724b2c628ab
- TradingView.dmg e49c078b3c3f696d004f1a85d731cb9ef8c662f1
- YoungClass transient presentation Mac 20OS.zip 3161e6c88a4da5e09193b7aac9aa211a032526b9
- YoungSUG(Cowl references,duties,logos,transient)YoungSUG_Official_Brief_Description_LucasProd.dmg 61c3f2f3a7521920ce2db9c9de31d7ce1df9dd44
Community Communications – IPs
- 13[.]114.196[.]60
- 13[.]125.88[.]10
Community Communications – Domains
- api.osx-mac[.]com
- builder.osx-mac[.]com
- db.osx-mac[.]com
Developer ID
- Bourigaultn Nathan (U5F3ZXR58U)
Mach-O Binaries — Intel x86_64
- 0edd4b81fa931604040d4c13f9571e01618a4c9c
- 13249e30a9918168e79cdb0f097e4b34fbbd891f
- 13bcebdb4721746671e0cbffbeed1d6d92a0cf6c
- 1424f9245a3325c513a09231168d548337ffd698
- 148bc97ff873276666e0c114d22011ec042fb9b9
- 15c377eb5a69f93fa833e845d793691a623f928c
- 166ff1cd47a45e47721bb497b83cc84d8269b308
- 1b3ce71fa42f4c0c16af1b8436fa43ac57d74ce9
- 1cc66e194401f2164ff1cbc8c07121475a570d9f
- 1df31db0f3e5c381ad73488b4b5ac5552326baac
- 1df8ff1fe464a0d9baaeead3c7158563a60199d4
- 1e5319969d6a53efc0ec1345414c62c810f95fce
- 291011119bc2a777b33cc2b8de3d1509ed31b3da
- 2c567a37c49af5bce4a236be5e060c33835132cf
- 33a5043f8894a8525eeb2ba5d80aef80b2a85be8
- 34c7977e20acc8e64139087bd16f0b0a881b044f
- 3589dd0d01527ca4e8a2ec55159649083b0c50a8
- 35c3b735949151aae28ebf16d24fb32c8bcd7e6b
- 35e14d8375f625b04be43019ccb8be57656b15cf
- 394501f410bd9cb4f4432a32b17348cdde3d4157
- 47620d2242dfaf14b7766562e812b7778a342a48
- 57c2302c30955527293ed90bfaf627a4132386fb
- 65de53298958b4f137c4bd64f31f550dd2199c36
- 70625f621f91fd6b1a433a52e57474316e0df662
- 78e8f9a93b56adc8e030403ba5f10f527941f6ae
- 80c83e659c63c963f55c8add4bf62f9bec73d44e
- 816fdf1fd9cf9aff2121d1b59c9cca38b5e4eb9d
- 86eb7c6a4d4bec5abeb6b44e0506ab0d5a96235d
- 8dfeda030bd3b38592b29d633c40e041d5f3331d
- 8ec57c1b1b5409cadb99b050c3c41460d4c7fea8
- 8f211c0ef570382685d024cc8e6e8acd4a137545
- 90d7f8acf3524fcb58c7d7874a5b6e8194689b1a
- 92b178817a6c9ad22f10b52e9a35a925a3dc751b
- a54c9906d41b04b9daf89c2e6eb4fdd54d0eae39
- a8724eb5f9f8f4607b384154f0c398fce207259e
- b51d7482d38dd19b2cb1cd303e39f8bddf5452ac
- bd6b87c6f4f256fb2553627003e8bce58689d1d8
- bdd4ce8c2622ddcf0888e05690c8b3d1a8c83dae
- be1ac5ed5dfd295be15ba5ed9fbb69f10c8ec872
- c37751372bb6c970ab5c447a1043c58ce49e10a5
- c4d9272ef906c7bf4ccc2a11a7107d6b7071537b
- c5429b9b4d1a8e147f5918667732049f3bd55676
- caf4fb1077cea9d75c8ae9d88817e66c870383b5
- cf467ca23bdb81e008e7333456dfceb1e69e9b8a
- cfa56e10c8185792f8a9d1e6d9a7512177044a8b
- d7de135a03a2124c6e0dfa831476e4069ebfba24
- dbf0983b29a175ebbcf7132089e69b3999adeca7
- dfd5adb749cbc5608ca915afed826650fcb0ff05
- e5cfc40d04ea5b1dac2d67f8279c1fd5ecf053f6
- f6f09ecc920eb694ed91e4ec158a15f1fb09f5dd
- f93dd5e3504fe79f7fcd64b55145a6197c84caa2
- f97e22bad439d14c053966193fdfdec60b68b786
- fce7a0c00bfed23d6d70b57395e2ec072c456cba