macOS MetaStealer attacks take aim at business Mac users


Protect Your Access to the Internet

Malware called “MetaStealer” is being used by hackers to attack businesses and to steal data from Intel-based Macs, with techniques including posing as legitimate app installers.

Malware attacks against macOS continue to be a problem, with users being coerced into opening executables being the main reason the attacks are successful. In a report detailing a family of macOS “infostealers” referred to as “MetaStealer,” security researchers explain how it works by tricking users into opening disk images.

According to Phil Stokes of SentinelOne, MetaStealer attackers are targeting businesses running macOS systems. By pretending to be fake clients, victims are socially engineered into running the malicious payloads on their Mac.

Many samples supplied to SentinelOne reveal that the disk image file holding the payload was often given names that could be of interest to business users. This ranges from names for presentations, a “Concept A3 full menu with dishes and translations to English,” and “Conract for paymen & confidentiality agreement Lucasprod” [sic], to the names of installers for Adobe products like Photoshop.

It is believed that targeting business users directly is an unusual move for malware users, as it is typically distributed in mass ways, such as in fake torrents.

The effort to achieve an installation is also made harder for hackers by a number of ways. Since the disk image contains the bare minimum content to exist beyond the payload, the file also tends to not include an Apple Developer ID string, nor use code signing at all, nor ad-hoc signing.

These create extra obstacles, namely that attackers have to somehow convince the would-be victim to override Gatekeeper and OCSP. All of the collected samples are single-architecture Intel x86_64 binaries, so while they would be usable on Intel Macs directly, they would need to use Rosetta to run on Apple Silicon Macs.

While users should be vigilant and use caution when opening questionable files sent by others, or downloaded from unofficial sources, Apple has…