Enterprise macOS users are being targeted by attackers slinging new information-stealing malware dubbed MetaStealer.
The MetaStealer malware
MetaStealer is delivered within malicious disk image format (.dmg) files.
The names of the files – such as Advertising terms of reference (MacOS presentation).dmg and Brief_Presentation-Task_Overview-(SOW)-PlayersClub.dmg – and the inclusion of words such as “Official Brief Description” indicate that the malware peddlers are going specifically after enterprise macOS users.
Some MetaStealer versions were also mimicking Adobe files or software: AdobeOfficialBriefDescription.dmg and Adobe Photoshop 2023 (with AI) installer.dmg.
MetaStealer disk image. (Source: SentinelOne)
A MetaStealer sample in the Conract for paymen & confidentiality agreement Lucasprod.dmg file has been uploaded to VirusTotal, along with a comment from the uploader that they were contacted by someone pretending to be a client, who sent them a password-protected ZIP file containing that DMG file. Once opened, it would reveal an app disguised as a PDF.
“The applications inside the MetaStealer disk images contain the minimum required to form a valid macOS bundle, namely an Info.plist file, a Resources folder containing an icon image and a MacOS folder containing the malicious executable,” noted Phil Stokes, threat researcher at SentinelOne.
The MetaStealer bundles contain an obfuscated Go-based executable that can exfiltrate the macOS keychain, steal passwords and files. Some versions of the malware seemingly target Telegram and Meta services, he also noted.
“This specific targeting of business users is somewhat unusual for macOS malware, which is more commonly found being distributed via torrent sites or suspicious third-party software distributors as cracked versions of business, productivity or other popular software,” Stokes said.
“Interestingly, all the samples we have collected are single architecture Intel x86_64 binaries, meaning that they are unable to run on Apple’s Apple silicon M1 and M2 machines without the help of [Apple’s translation software layer] Rosetta.”
Apple’s malware blocking tool XProtect offers limited protection: it stops some but not all MetaStealer samples.
MacOS infostealers are multiplying
With the growing popularity of macOS devices within enterprise environments, cybercriminals have been focusing on developing more macOS-specific malware.
Just like Atomic Stealer – a malware first advertised in April 2023 and distributed through Google Ads – some MetaStealer version have been seen masquerading as TradingView.
But even though they are both Go-based and use osascript to display error messages, the researchers haven’t noticed other similarities in code, infrastructure and delivery method.
“We cannot rule out that the same team of malware developers could be behind both stealers and that differences in delivery are due to different buyers of the malware, but it is also equally possible that entirely different individuals or teams are simply using similar techniques to achieve the same objectives,” Stokes concluded.