All the apps have a valid, Apple-provided developer certificate, so OS X will happily install them without any warning. The fake dialog box links to the macfileopenercom website, which downloads other junk PCVARK apps, such as Mac Adware Remover or Mac Space Reviver. If a user tries to open a file for which they don’t have a corresponding app, it will be opened by Mac File Opener which then presents a reasonably convincing fake version of the normal OS X dialog box advising that no suitable app is installed. It simply seemed to be sitting there, doing nothing.īut some digging found that the ist file within the app defined a list of 232 different file types that it claimed to be able to open. ![]() There wasn’t a new launch agent or daemon designed to load it. ![]() Reed said that it wasn’t initially obvious how the app could force users to launch it.Įven more intriguing, this app didn’t have any apparent mechanism for being launched. It does rely on a naive user approving a request to install Advanced Mac Cleaner on their machine, but doing so also installs a second app known as Mac File Opener. Thomas Reed, lead researcher at Malwarebytes, told us that he found the malware on a scam page hosted on the official Advanced Mac Cleaner website … To help admins detect and remediate malicious activity in their networks, Malwarebytes has also shared indicators of compromise (IoC).No 9to5Mac reader is going to be at risk from malware that directs users to a scam website and asks them to download software, but Malwarebytes has discovered a previously unknown piece of Mac malware that could easily fool less technical users. They should be downloaded only from official sites or trusted sources (e.g., App Store). Users should exercise caution when downloading apps or programs, especially when searching for them via Google. The developer or seller for the Atomic Stealer actually made it a selling point that their toolkit is capable of evading detection,” said Segura. “While Mac malware really does exist, it tends to be less detected than its Windows counterpart. In the last year or so, cybercriminals have increased their reliance on Google Search ads as a way to lead users to legitimate-looking websites and trick them into downloading malware.Īnd as more consumers and enterprise users switch to using Macs, Apple’s machines have become an increasingly attractive target for malicious actors. Once executed, it will keep prompting for the user password in a never ending loop until victims finally relent and type it in.”įinally, the attacker starts exfiltrating data: passwords from browsers or keychain, autofills, user information, crypto wallets, files, and cookies. “The malware is bundled in an ad-hoc signed app meaning it’s not an Apple certificate, so it cannot be revoked. “Unlike regular apps, it does not need to be copied into the Mac’s Apps folder but is simply mounted and executed,” Segura noted. The downloaded file (TradingView.dmg) comes with instructions on how to open it. The victims aren’t aware of this, but the opening process aims to bypass Gatekeeper, macOS’security feature that enforces code signing and verifies downloaded applications. The downloaded macOS stealer instructs users on how to open the file. The page has three download buttons: the Windows and Linux one trigger the download of a RAT from Discord, and the macOS one downloads the Atomic Stealer from a third-party site. Potential victims are redirected by a malicious ad to a phishing site mimicking that legitimate platform’s page. In the latest delivery campaign spotted by the researcher, the malware poses as TradingView, a popular platform and app to track financial markets. “Criminals who buy the toolkit have been distributing it mostly via cracked software downloads but are also impersonating legitimate websites and using ads on search engines such as Google to lure victims in,” says Malwarebytes researcher Jérôme Segura. ![]() ![]() The malware, which was first advertised in April 2023, is an infostealer that can grab passwords from browsers, Apple’s keychain, files, crypto wallets, and more. A newer version of the Atomic Stealer macOS malware has a new trick that allows it to bypass the operating system’s Gatekeeper, Malwarebytes researchers have discovered.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |