
Between the last two quarters, macOS malware detections doubled, fueled by the surge of infostealer strains designed to siphon sensitive user data, an investigation by Palo Alto Networks' Unit 42 reveals.
Infostealers, often sold as malware-as-a-service, are the most widely exploited threat for Mac and MacBook users. Just three prevalent malware families dominate the market.
“We recently identified a growing number of attacks targeting macOS users across multiple regions and industries,” the Unit 42 team said. “In our own telemetry, we detected a 101% increase of macOS infostealers between the last two quarters of 2024.”
Macs are targeted indiscriminately to maximize the data collection and potential monetization. The infostealers collect a wide range of sensitive information, ranging from financial details and crypto wallets to credentials of various services.
Later, the data is leveraged to attack organizations and expose them to significant risks, including data leaks or initial access for ransomware deployment.
According to the researchers, macOS infostealers often exploit the native AppleScript framework. AppleScript is a scripting language created by Apple that allows users to directly control scriptable Macintosh applications and parts of MacOS itself.
“This framework provides extensive OS access and it also simplifies execution with its natural language syntax. Since these prompts can look like legitimate system prompts, threat actors use this framework to trick victims via social engineering. For example, they can prompt them to enter credentials or trick them into disabling security controls,” the researchers said.
The three dominating infostealer strains are as follows:
- Atomic Stealer (AMOS): Discovered in April 2023, this malware-as-a-service is sold on illicit hacker forums. Operators usually distribute it via malicious ads (malvertising). AMOS is capable of stealing notes and documents, browser data, including passwords, cookies, and more, crypto wallets, and instant messaging data.
- Poseidon Stealer: Considered to be a fork of Atomic Stealer. Hackers deliver it via Trojanized installers, mimicking legitimate apps. Google ads and malicious spam emails are often abused for distribution. Poseidon prompts users with a dialog box to get their password. It also gathers system information, browser passwords and cookies, crypto wallets, credentials and notes from the Notes app, Telegram data, and passwords from BitWarden and KeePassXC managers.
- Cthulhu Stealer: Another popular malware-as-a-service propagates via malicious app installers. It prompts users to enter passwords and also collects a broad range of information. Not only does it target the data obtained by other infostealers, but Cthulhu also gathers files with multiple extensions, FileZilla configuration files, data related to Minecraft, the gaming platform Battle.net, and more.
“These threats are significant not only for what they can steal directly but also because they can represent an entry point for additional malicious activity. For example, a breach that deploys an infostealer may lead to ransomware deployment later,” Unit 42 warns.
They suggest monitoring sensitive file access and unusual AppleScript executions using security services and software.
Your email address will not be published. Required fields are markedmarked