Tuesday, July 9, 2024

Mac App Impersonation

Jérôme Segura (via Ric Ford):

On June 24, we observed a new campaign distributing a stealer targeting Mac users via malicious Google ads for the Arc browser. This is the second time in the past couple of months where we see Arc being used as a lure, certainly a sign of its popularity. It was previously used to drop a Windows RAT, also via Google ads.

The macOS stealer being dropped in this latest campaign is actively being developed as an Atomic Stealer competitor, with a large part of its code base being the same as its predecessor. Malwarebytes was previously tracking this payload as OSX.RodStealer, in reference to its author, Rodrigo4. The threat actor rebranded the new project ‘Poseidon’ and added a few new features such as looting VPN configurations.

Kseniia Yamburh (via Ric Ford):

As malware researchers in Moonlock, the cybersecurity division of MacPaw, we are always on the lookout for new samples to analyze and protect our users from. One day, we came across a sample with the name CleanMyMac, which caught our attention. However, this sample was not the genuine CleanMyMac, but a malicious impersonation.

We decided to investigate this campaign further and uncovered many more samples with different malware inside, such as Atomic Stealer, PSW Stealer, and AdLoad Adware. These malware can steal users’ passwords and personal data and display unwanted ads on their Macs.

Howard Oakley:

There is a problem common to all products that try to detect malicious software, in false positives. Over the 20 months or so since XProtect Remediator went live, several of its scanning modules have reported what appear to be false positives.


To our disappointment, Apple Support didn’t appear concerned, and told them that such events don’t get reported to the user unless there’s something that the user needs to do. They were then pointed at a discussion on Apple Support Communities, where the “Best reply” may be familiar to some of you.


This immediately reveals that the respondent is unable to draw the distinction between ‘classic’ XProtect, the part of Gatekeeper that performs checks on executable code before it’s run, and the newer XProtect Remediator, which scans for telltale signs of malicious software when your Mac isn’t in use.


Update (2024-07-19): Jérôme Segura:

We were able to reliably search for and see the same malicious ad for Microsoft Teams which was likely paid for by a compromised Google ad account.


Once the downloaded file MicrosoftTeams_v.(xx).dmg is mounted, users are instructed to open it via a right click in order to bypass Apple’s built-in protection mechanism for unsigned installers.

Google search is unlikely to take you to a fake app because popular apps have good PageRanks; just don’t click on an ad.

Comments RSS · Twitter · Mastodon

Leave a Comment