The recently discovered MetaStealer malware has an ongoing campaign that targets macOS-based device users, posing a prominent threat to sensitive data. The malware developers coded this malicious software in the Go programming language and designed it to extract valuable information from its victims.
The primary targets of the malware operators are macOS users in business settings through social engineering stratagems. The operation deceives its targets to execute harmful payloads by disguising its malware as design clients.
These deceptive lures frequently come packaged as malicious app bundles in disk image format, portraying names such as “Brief_Presentation-Task_Overview-(SOW)-PlayersClub,” “AnimatedPoster,” “CONCEPT A3 full menu with dishes and translations to English,” and “Advertising terms of reference (MacOS presentation).”
In one instance, the attackers disseminated the malware via a disk image file titled ‘Conract for payment & confidentiality agreement Lucasprod.’ Additionally, the miscreants employed well-known software names like Adobe to bait victims into downloading the malware.
The MetaStealer malware has an obfuscation tactic to avoid threat analysis.
The main component of the MetaStealer malware is a Maco-O file coded in Intel x86 assembly language. This file stores a compiled Go source code, which the developers intentionally obfuscated to prevent analysis.
Specifically, the threat actors removed the Go Build ID and obscured the malware’s function names. This obfuscation technique is expected for malware strains like Sliver and Poseidon. Furthermore, several MetaStealer malware variants could bypass Apple’s built-in antivirus technology, XProtect.
In similar news, a new version of Atomic Stealer has surfaced and poses as a fake TradingView app to target macOS users. On the other hand, some MetaStealer variants have also impersonated the TradingView application.
MetaStealer and Atomic Stealer are both information stealers. Additionally, their respective developers used the Go programming language and employed osascript to display error messages upon execution to construct their malicious capabilities. However, the two strains do not show any connection since their actual code bears little resemblance. Their network infrastructure and malware distribution differ significantly.
Apple’s XProtect update v2170 could only identify some versions of MetaStealer. Organisations should take proactive measures against other variants by scrutinising the indicators associated with the malware and adopting robust security solutions.
