A new family of infostealers targeted at Mac users has emerged, and attackers are using it to go after enterprise users specifically.
The malware is known as MetaStealer and researchers from SentinelOne have observed attackers targeting Mac users in various industries with it, aiming to gain a foothold in the corporate networks. The MetaStealer malware is usually hidden in malicious documents or files, sometimes in files disguised to look like an Adobe application or file.
“Many of the samples of MetaStealer we have observed are distributed in malicious application bundles contained in disk image format (.dmg) with names indicating that the targets were business users of Mac devices,” Phil Stokes of SentinelOne said in a post.
“This specific targeting of business users is somewhat unusual for macOS malware, which is more commonly found being distributed via torrent sites or suspicious third-party software distributors as cracked versions of business, productivity or other popular software.”
The MetaStealer malware is designed specifically for machines running on Apple M1 and M2 processors, and the code is heavily obfuscated. The researchers were able to find some indications of the malware’s functionality despite the obfuscation, and said that MetaStealer is capable of stealing saved passwords, the contents of the keychain, and files. Some MetaStealer variants also have code designed to target Telegram and Meta apps.
Researchers first identified MetaStealer in March, and newer versions have appeared steadily since then. Last week, Apple added a detection signature for MetaStealer to its XProtect antimalware system for macOS.
“Although we have seen some versions carrying an Apple Developer code signature embedded in the executable (Bourigaultn Nathan (U5F3ZXR58U), none of the samples we observed attached a code signature or used ad hoc signing. This means that to gain execution, the threat actor would likely need to guide or persuade the victim to override protections such as Gatekeeper and OCSP,” Stokes said.
MetaStealer joins a growing list of infostealers targeting Mac users. Another recent discovery, Atomic Stealer, shares some similarities with MetaStealer, including disguising the malware as TradingView apps. The two pieces of malware don’t share much in the way of code, though, so the SentinelOne researchers said it was unknown if they were related or developed by the same group.