Jamf Threat Labs has published a new report on infostealer malware that targets macOS users. The report details two malware attacks; the first is a new implementation of the Atomic Stealer malware, while the second involves an attack in an online communications tool. Both attacks steal a user’s sensitive information, such as account usernames and passwords, and data from crypto wallets.
Atomic Stealer was first reported about a year ago, distributed through unsigned disk image files (.dmg) when a user downloads an app. Jamf Threat Labs reports that Atomic Stealer is now being distributed through a sponsored link on Google when searching for “Arc Browser.” Arc Browser is a legitimate free browser by The Browser Company whose website is located at arc.net.
However, the sponsored ad that a Google user may see takes the user to aricl or airci dot net instead of the Arc Browser’s actual website. If the user proceeds to download what they think is the browser installer, they are instructed to run the installer by Control-clicking the icon and selecting Open–this is macOS’s way to bypass Gatekeeper, which usually provides a warning of possible malicious software and instances of unsigned installers, stops the installation.
After Atomic Stealer is installed, a prompt appears that says that System Settings needs to be updated for the app–which the user thinks is Arc browser–to run. The user is asked to enter the account password, allowing the malware to access Keychain’s data, which is sent to the attacker’s server.
As of this writing, it appears that the malicious websites have been reported to the hosting service and have been taken down. Going to aricl or airci dot net results in a webpage with the logo for FastPanel, a server management tool provided by web hosting services. It’s not known if Google has halted distribution of the malicious ad.
Meethub malware
Jamf Threat Labs also reports on an attack involving online meeting software on meethub dot gg. An attacker reaches out to a target and requests to use Meethub, which the user downloads. As with the Atomic Stealer Arc download, the user is instructed to use Control-click > Open to install the software and bypass Gatekeeper.
After installation, the user is asked to enter their account password, which allows the malware to access Keychain and crypto wallet data. The data is then sent to the attacker’s server.
While Jamf’s report on Meethub involves software downloaded from the web, it does not provide information on the Meethub app that is available on the App Store, which runs on iPhones and M-series Macs. Jamf has been contacted for clarification and we will update this article appropriately.
How to avoid the new infostealer attacks
Apple’s Gatekeeper functionality prevents users from running unsigned software installers. When a user double-clicks an installer, Gatekeeper checks for the certificate issued by Apple to developers; the certificate tells Apple who the developer is and if it’s blacklisted, and if the software has been tampered with since leaving the developer for distribution. Users can bypass Gatekeeper warnings by Control-clicking an installer and selecting Open from the pop-up menu–if this method is required by the software developer, it’s a red flag.
Apple releases security patches through OS updates, so installing them as soon as possible is important. And as always, when downloading software, get it from trusted sources, such as the App Store (which makes security checks of its software) or directly from the developer. Macworld has several guides to help, including a guide on whether or not you need antivirus software, a list of Mac viruses, malware, and trojans, and a comparison of Mac security software.