Image: Wesson Wang (unsplash)
A novel data theft malware, dubbed ‘MetaStealer’, is making its presence felt by extracting diverse confidential data from macOS devices powered by Intel.
This malware, distinct from last year’s ‘META’ data-thief, employs Go-language. Intriguingly, it can slip past Apple’s integrated antivirus mechanism, XProtect, focusing primarily on corporate users.
Over the recent months, SentinelOne has been meticulously observing this malware, noting a peculiar reliance on social engineering for its dispersion.
While there are certain parallels with Atomic Stealer, another Go-driven malware that zeroes in on macOS, there’s only a minimal code congruence, and their distribution techniques aren’t identical.
Hence, SentinelOne infers that MetaStealer is an independent endeavor.
Infiltration into macOS Devices:
On VirusTotal, SentinelOne stumbled upon a malware specimen accompanied by a remark indicating that the agents behind MetaStealer approach businesses, feigning to be their clients, to circulate the malware.
The remark on VirusTotal expressed an individual’s experience of being approached by someone pretending to be a design client. The individual received a password-secured zip file containing a DMG file. Suspicion arose when the recipient found an application masquerading as a PDF inside it.
The phishing communications come with disk image files. Once these are integrated into the filesystem, they showcase misleadingly named executables that mimic PDF files to beguile the recipient.
Several DMGs SentinelOne identified bore names suggestive of Adobe software or client projects, such as:
- Advertising terms of reference (MacOS presentation).dmg
- CONCEPT A3 full menu with dishes and translations to English.dmg
- Adobe Photoshop 2023 (with AI) installer.dmg
Inside these malware application packages lie basics like an Info.plist file, an icon image in a Resources folder, and a malevolent Mach-O executable in a macOS folder.
Interestingly, none of the versions SentinelOne analyzed were authenticated, even though a few displayed an Apple Developer ID.
Capabilities of MetaStealer:
MetaStealer is designed to pilfer information like passwords, files, and app details from infiltrated systems. Subsequently, it tries to funnel them through TCP using port 3000.
The malware possesses features to siphon off the keychain, extract saved passcodes, take files from the device, and home in on Telegram and Meta (formerly Facebook) services.
MacOS’s keychain is a foundational password handling system that manages credentials for a myriad of purposes. Thus, drawing out its contents can provide attackers an entryway to critical data.
As of now, MetaStealer is operational solely on Intel x86_64 architecture. Therefore, Apple Silicon-driven macOS devices (like M1, M2) remain untouched, unless the user employs Rosetta to activate the malware.
This narrows down its scope, especially as Intel-fueled Apple devices are gradually becoming obsolete.
Nevertheless, the potential of MetaStealer releasing a version compatible with Apple Silicon remains a looming concern.