Password-stealing malware campaign targets macOS users
gettyThreat researchers have confirmed that a nasty new scam that targets macOS users is being actively exploited by hackers looking to get victims to download malware that will attempt to steal passwords from the keychain as well as through the Chrome, Bravo and Vivaldi web browsers manage others. The campaign, known to have been active now for a worrying four months, uses fake companies to leverage trust and distributes the stealer malware in disguise as a video meeting application. Here’s what you need to know.
The Mac Malware Threat To Your Passwords Exposed
In a new report published by Tara Gould, the threat research lead at Cado Security Labs, has identified what it calls a new sophisticated scam targeting macOS users with AI-generated content designed to trick them into downloading a video call meeting application that is actually, surprise surprise, malware in disguise. “In order to appear as a legitimate company,” Gould said, “the threat actors created a website with AI-generated content, along with social media accounts.”
The threat analysis revealed that victims have been targeted in various and multiple ways, including known, but cloned, contacts on Telegram wanting to talk about a business opportunity other than investment proposition. Others are said to have been contacted on calls related to their work with blockchain technologies and cryptocurrencies.
In a separate analysis by Joshua Long, chief security analyst at Mac security specialists Intego, users are warned that the same fake meeting software could potentially be used in other scam campaigns and such a variation could target you regardless of your interests.
The malware itself attempts to steal sensitive data from the macOS Keychain, such as the passwords database, Long said, as well as “various Chromium-based browsers (namely Google Chrome, Microsoft Edge, Arc, Brave, Opera, Vivaldi, and the Vietnamese browser Cốc Cốc), the Telegram Messenger app, and popular cryptocurrency wallets.” The browser data targeted includes session cookies which are a hacker favorite as they can be used to bypass two-factor authentication protections.
Although the downloads page that victims are directed to in this campaign claims to offer an application for macOS, Linux and Windows operating systems, Gould said that “all download links lead to the macOS version.” When the download file is opened, Gould continued, an error message is displayed saying that it cannot connect to server and asking the user to please reinstall or use a VPN. A not-so-helpful as it turns out “continue” button leads to a macOS password prompt.
Mitigating The Mac Malware Threat To Your Passwords
The use of AI within this latest campaign highlights how threat actors are able to quickly pivot attacks to create new and realistic websites with content that adds legitimacy to leverage trust and make scam identification more difficult for the average, or even not-so-average, user. “As a result,” Gould said, “users need to exercise caution when being approached about business opportunities, especially through Telegram.”
“If you use Intego VirusBarrier,” Long said, “you’re already protected from this malware. Intego detects samples from this campaign as OSX/ChainBreaker.fs, OSX/Stealer.ext, Python/KeychainDump, and trojan/TR/PSW.Agent.lyel.”
I have approached Apple, Brave, Google and Opera for a statement.
I would also recommend that anyone interested in protecting their systems and passwords, on whatever operating system platform, read the advice in this thought-provoking guide to understanding how phishing scams work and the best approaches to combat them.
