MacOS malware has a new trick up its sleeve

A newer version of the Atomic Stealer macOS malware has a new trick that allows it to bypass the operating system’s Gatekeeper, Malwarebytes researchers have discovered.

Mac malware delivered through Google ads

The malware, which was first advertised in April 2023, is an infostealer that can grab passwords from browsers, Apple’s keychain, files, crypto wallets, and more.

“Criminals who buy the toolkit have been distributing it mostly via cracked software downloads but are also impersonating legitimate websites and using ads on search engines such as Google to lure victims in,” says Malwarebytes researcher Jérôme Segura.

In the latest delivery campaign spotted by the researcher, the malware poses as TradingView, a popular platform and app to track financial markets. Potential victims are redirected by a malicious ad to a phishing site mimicking that legitimate platform’s page.

The page has three download buttons: the Windows and Linux one trigger the download of a RAT from Discord, and the macOS one downloads the Atomic Stealer from a third-party site.

The downloaded macOS stealer instructs users on how to open the file. The victims aren’t aware of this, but the opening process aims to bypass Gatekeeper, macOS’security feature that enforces code signing and verifies downloaded applications.

The downloaded file (TradingView.dmg) comes with instructions on how to open it. (Source: Malwarebytes)

“Unlike regular apps, it does not need to be copied into the Mac’s Apps folder but is simply mounted and executed,” Segura noted.

“The malware is bundled in an ad-hoc signed app meaning it’s not an Apple certificate, so it cannot be revoked. Once executed, it will keep prompting for the user password in a never ending loop until victims finally relent and type it in.”

Finally, the attacker starts exfiltrating data: passwords from browsers or keychain, autofills, user information, crypto wallets, files, and cookies.

MacOS malware is getting more popular

In the last year or so, cybercriminals have increased their reliance on Google Search ads as a way to lead users to legitimate-looking websites and trick them into downloading malware.

And as more consumers and enterprise users switch to using Macs, Apple’s machines have become an increasingly attractive target for malicious actors.

“While Mac malware really does exist, it tends to be less detected than its Windows counterpart. The developer or seller for the Atomic Stealer actually made it a selling point that their toolkit is capable of evading detection,” said Segura.

Users should exercise caution when downloading apps or programs, especially when searching for them via Google. They should be downloaded only from official sites or trusted sources (e.g., App Store).

To help admins detect and remediate malicious activity in their networks, Malwarebytes has also shared indicators of compromise (IoC).