A new information stealer for MacOS distributes malware depending on the browser and uses social engineering.
Two new cybercriminal groups, TA2726 and TA2727, are carrying out web injection attacks and deploying new malware dubbed FrigidStealer, according to researchers from cybersecurity company Proofpoint.
Previously, web injection malware was mainly distributed by another cybercriminal group dubbed TA569.
The group used SocGholish injects presented as a fake update to the visitor, leading to malware installation and follow-on ransomware attack. The cybercriminals became almost synonymous with “fake updates” within the security community
At the beginning of 2023, groups like TA2726 and TA2727 emerged, using the same web inject and traffic redirection techniques, Proofpoint says.
New threat actors
Typically, malicious website injection attacks consist of three parts: the malicious injects served to website visitors, a traffic distribution service (TDS) responsible for determining which user gets which payload, and the payload downloaded by the script.
Proofpoint thinks that TA2726, which has been active since around 2022 and works with other cybercriminals, could be responsible for the webserver or website compromises that lead to injects operated by other threat actors.
The other group, TA2727, was observed this January while investigating a suspected TA569 attack chain that appeared to deliver different payloads based on users’ geography.
“In the campaign, emails contained URLs linking to websites compromised with malicious JavaScript website injects. When a user visited a compromised website, TDS domains directed traffic to various actor-controlled domains to deliver a malicious payload,” Proofpoint says in its blog post.
TA2727 used an attack chain serving injection called SocGholish in the US and Canada.
In France and the UK, the malware campaign delivers another unique fake update chain using a different payload based on the visitor’s user agent and browser.
If a user visited a compromised website on a Windows computer using Edge or Chrome, the website would redirect them to instructions on how the user needs to update their browser.
After clicking the “Update” button, an MSI file was downloaded, and the webpage displayed instructions on how to install the payload, Proofpoint says.
On Windows, one of the bundled Dynamic Link Libraries was trojanized with DOILoader, while on Android, the Marcher banking trojan was used.
FrigidStealer
At the beginning of this year, the group targeted MacOS users with the same tactics. After the user clicked the “Update” button, TDS downloaded a DMG file and distributed malware depending on the browser using filtering.
Right-clicking and selecting “Open” bypassed the MacOS security feature Gatekeeper, which would otherwise warn the user that the application is untrusted, Proofpoint says.
“Upon execution, FrigidStealer uses Apple script files and osascript to prompt the user to enter their password, and then to gather data including browser cookies, files with extensions relevant to password material or cryptocurrency from the victim’s Desktop and Documents folders, and any Apple Notes the user has created.”
According to Proofpoint, the executable was built with the WailsIO project, which renders content in the user's browser, adding to the social engineering of the victim.
The researchers note that cybercriminals' activities can be hard to detect and prevent.
Companies are advised to have network detections in place, use endpoint protection, and restrict Windows users from downloading script files and opening them in anything but a text file.
Your email address will not be published. Required fields are markedmarked