Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

New malware strain stealing business data from Intel Macs

Last updated

Malware called "MetaStealer" is being used by hackers to attack businesses and to steal data from Intel-based Macs, with techniques including posing as legitimate app installers.

Malware attacks against macOS continue to be a problem, with users being coerced into opening executables being the main reason the attacks are successful. In a report detailing a family of macOS "infostealers" referred to as "MetaStealer," security researchers explain how it works by tricking users into opening disk images.

According to Phil Stokes of SentinelOne, MetaStealer attackers are targeting businesses running macOS systems. By pretending to be fake clients, victims are socially engineered into running the malicious payloads on their Mac.

Many samples supplied to SentinelOne reveal that the disk image file holding the payload was often given names that could be of interest to business users. This ranges from names for presentations, a "Concept A3 full menu with dishes and translations to English," and "Conract for paymen & confidentiality agreement Lucasprod" [sic], to the names of installers for Adobe products like Photoshop.

It is believed that targeting business users directly is an unusual move for malware users, as it is typically distributed in mass ways, such as in fake torrents.

The effort to achieve an installation is also made harder for hackers by a number of ways. Since the disk image contains the bare minimum content to exist beyond the payload, the file also tends to not include an Apple Developer ID string, nor use code signing at all, nor ad-hoc signing.

These create extra obstacles, namely that attackers have to somehow convince the would-be victim to override Gatekeeper and OCSP. All of the collected samples are single-architecture Intel x86_64 binaries, so while they would be usable on Intel Macs directly, they would need to use Rosetta to run on Apple Silicon Macs.

While users should be vigilant and use caution when opening questionable files sent by others, or downloaded from unofficial sources, Apple has already introduced some protective measures. As part of XProtect update x2170, Apple includes a detection signature that impacts some versions of MetaStealer.

SentinelOne has also released a list of Indicators of Compromise, intended for use by IT and security teams working for enterprise, which follows below.

Indicators of Compromise

MetaStealer Droppers

  • AdobeOfficialBriefDescription.dmg 00b92534af61a61923210bfc688c1b2a4fecb1bb
  • Adobe Photoshop 2023 (with AI) installer.dmg 51e8eaf98b77105b448f4a0649d8f7c98ac8fc66
  • Advertising terms of reference (MacOS presentation).dmg 4da5241119bf64d9a7ffc2710b3607817c8df2f
  • AnimatedPoster.dmg c2cd344fbcd2d356ab8231d4c0a994df20760e3e
  • CardGame.dmg 5ba3181df053e35011e9ebcc5330034e9e895bfe
  • Conract for paymen & confidentiality agreement Lucasprod.dmg dec16514cd256613128b93d340467117faca1534
  • FreyaVR 1.6.102.dmg d3fd59bd92ac03bccc11919d25d6bbfc85b440d3
  • Matrix.dmg 3033c05eec7c7b98d175df2badd3378e5233b5a2
  • OfficialBriefDescription.app.zip 345d6077bfb9c55e3d89b32c16e409c508626986
  • P7yersOfficialBriefDescription 1.0.dmg 35bfdb4ad20908ac85d00dcd7389a820f460db51
  • PDF.app.zip aa40f3f71039096830f2931ac5df2724b2c628ab
  • TradingView.dmg e49c078b3c3f696d004f1a85d731cb9ef8c662f1
  • YoungClass brief presentation Mac 20OS.zip 3161e6c88a4da5e09193b7aac9aa211a032526b9
  • YoungSUG(Cover references,tasks,logos,brief)\YoungSUG_Official_Brief_Description_LucasProd.dmg 61c3f2f3a7521920ce2db9c9de31d7ce1df9dd44

Network Communications - IPs

  • 13[.]114.196[.]60
  • 13[.]125.88[.]10

Network Communications - Domains

  • api.osx-mac[.]com
  • builder.osx-mac[.]com
  • db.osx-mac[.]com

Developer ID

  • Bourigaultn Nathan (U5F3ZXR58U)

Mach-O Binaries — Intel x86_64

  • 0edd4b81fa931604040d4c13f9571e01618a4c9c
  • 13249e30a9918168e79cdb0f097e4b34fbbd891f
  • 13bcebdb4721746671e0cbffbeed1d6d92a0cf6c
  • 1424f9245a3325c513a09231168d548337ffd698
  • 148bc97ff873276666e0c114d22011ec042fb9b9
  • 15c377eb5a69f93fa833e845d793691a623f928c
  • 166ff1cd47a45e47721bb497b83cc84d8269b308
  • 1b3ce71fa42f4c0c16af1b8436fa43ac57d74ce9
  • 1cc66e194401f2164ff1cbc8c07121475a570d9f
  • 1df31db0f3e5c381ad73488b4b5ac5552326baac
  • 1df8ff1fe464a0d9baaeead3c7158563a60199d4
  • 1e5319969d6a53efc0ec1345414c62c810f95fce
  • 291011119bc2a777b33cc2b8de3d1509ed31b3da
  • 2c567a37c49af5bce4a236be5e060c33835132cf
  • 33a5043f8894a8525eeb2ba5d80aef80b2a85be8
  • 34c7977e20acc8e64139087bd16f0b0a881b044f
  • 3589dd0d01527ca4e8a2ec55159649083b0c50a8
  • 35c3b735949151aae28ebf16d24fb32c8bcd7e6b
  • 35e14d8375f625b04be43019ccb8be57656b15cf
  • 394501f410bd9cb4f4432a32b17348cdde3d4157
  • 47620d2242dfaf14b7766562e812b7778a342a48
  • 57c2302c30955527293ed90bfaf627a4132386fb
  • 65de53298958b4f137c4bd64f31f550dd2199c36
  • 70625f621f91fd6b1a433a52e57474316e0df662
  • 78e8f9a93b56adc8e030403ba5f10f527941f6ae
  • 80c83e659c63c963f55c8add4bf62f9bec73d44e
  • 816fdf1fd9cf9aff2121d1b59c9cca38b5e4eb9d
  • 86eb7c6a4d4bec5abeb6b44e0506ab0d5a96235d
  • 8dfeda030bd3b38592b29d633c40e041d5f3331d
  • 8ec57c1b1b5409cadb99b050c3c41460d4c7fea8
  • 8f211c0ef570382685d024cc8e6e8acd4a137545
  • 90d7f8acf3524fcb58c7d7874a5b6e8194689b1a
  • 92b178817a6c9ad22f10b52e9a35a925a3dc751b
  • a54c9906d41b04b9daf89c2e6eb4fdd54d0eae39
  • a8724eb5f9f8f4607b384154f0c398fce207259e
  • b51d7482d38dd19b2cb1cd303e39f8bddf5452ac
  • bd6b87c6f4f256fb2553627003e8bce58689d1d8
  • bdd4ce8c2622ddcf0888e05690c8b3d1a8c83dae
  • be1ac5ed5dfd295be15ba5ed9fbb69f10c8ec872
  • c37751372bb6c970ab5c447a1043c58ce49e10a5
  • c4d9272ef906c7bf4ccc2a11a7107d6b7071537b
  • c5429b9b4d1a8e147f5918667732049f3bd55676
  • caf4fb1077cea9d75c8ae9d88817e66c870383b5
  • cf467ca23bdb81e008e7333456dfceb1e69e9b8a
  • cfa56e10c8185792f8a9d1e6d9a7512177044a8b
  • d7de135a03a2124c6e0dfa831476e4069ebfba24
  • dbf0983b29a175ebbcf7132089e69b3999adeca7
  • dfd5adb749cbc5608ca915afed826650fcb0ff05
  • e5cfc40d04ea5b1dac2d67f8279c1fd5ecf053f6
  • f6f09ecc920eb694ed91e4ec158a15f1fb09f5dd
  • f93dd5e3504fe79f7fcd64b55145a6197c84caa2
  • f97e22bad439d14c053966193fdfdec60b68b786
  • fce7a0c00bfed23d6d70b57395e2ec072c456cba



2 Comments

FileMakerFeller 6 Years · 1561 comments

Good on SentinelOne for making such detailed information available.

maltz 13 Years · 507 comments

Good on SentinelOne for making such detailed information available.

+1

I had to do some digging to figure out the purpose of the brackets in the IP addresses and domain names, though.  They're there so that they can't be clicked on or used by accident, since they are malicious destinations.  I'm still not sure why the IP addresses have two sets of them, though.