New Mac malware targets users with legit-looking ads, meeting links

Macworld

Jamf Threat Labs has published a new report on infostealer malware that targets macOS users. The report details two malware attacks; the first is a new implementation of the Atomic Stealer malware, while the second involves an attack in an online communications tool. Both attacks steal a user’s sensitive information, such as account usernames and passwords, and data from crypto wallets.

Update 4/1/24 at 11 a.m. PT: Jamf responded to our inquiry about the Meethub app in the App Store: “We don’t currently have any reason to believe the Meethub apps on Google Play and the Apple App Store are malicious.” The Meethub section of this article has been updated.

Atomic Stealer and Arc browser-sponsored ads

Atomic Stealer was first reported about a year ago, distributed through unsigned disk image files (.dmg) when a user downloads an app. Jamf Threat Labs reports that Atomic Stealer is now being distributed through a sponsored link on Google when searching for “Arc Browser.” Arc Browser is a legitimate free browser by The Browser Company whose website is located at arc.net.

However, the sponsored ad that a Google user may see takes the user to aricl or airci dot net instead of the Arc Browser’s actual website. If the user proceeds to download what they think is the browser installer, they are instructed to run the installer by Control-clicking the icon and selecting Open–this is macOS’s way to bypass Gatekeeper, which usually provides a warning of possible malicious software and instances of unsigned installers, stops the installation.

After Atomic Stealer is installed, a prompt appears that says that System Settings needs to be updated for the app–which the user thinks is Arc browser–to run. The user is asked to enter the account password, allowing the malware to access Keychain’s data, which is sent to the attacker’s server.

As of this writing, it appears that the malicious websites have been reported to the hosting service and have been taken down. Going to aricl or airci dot net results in a webpage with the logo for FastPanel, a server management tool provided by web hosting services. It’s not known if Google has halted distribution of the malicious ad.

Meethub malware

Jamf Threat Labs also reports on an attack involving online meeting software on meethub dot gg. An attacker reaches out to a target and requests to use Meethub, which the user downloads. As with the Atomic Stealer Arc download, the user is instructed to use Control-click > Open to install the software and bypass Gatekeeper.

‼️Meethub is a SCAM. Please report!!Scammers will DM you and ask you for an interview or a podcast and they will request you to do it though meethub gg. DO NOT DOWNLOAD ANYTHING FROM MEETHUB OR YOUR ASSET WILL BE GONE.BLOCK AND REPORT PLEASETELL YOUR FRIENDS(The scammer… pic.twitter.com/1nQ8DLmdrN— Nat.pudgy (@NatChittamai) February 28, 2024

After installation, the user is asked to enter their account password, which allows the malware to access Keychain and crypto wallet data. The data is then sent to the attacker’s server.

Jamf’s report on Meethub involves software downloaded from the web, but there is a Meethub app in the App Store that runs on iPhones and M-series Macs (and a Meethub app is in the Google Play store). In a response to Macworld’s inquiry on this, Jamf replied, “We don’t currently have any reason to believe the Meethub apps on Google Play and the Apple App Store are malicious.”

How to avoid the new infostealer attacks

Apple’s Gatekeeper functionality prevents users from running unsigned software installers. When a user double-clicks an installer, Gatekeeper checks for the certificate issued by Apple to developers; the certificate tells Apple who the developer is and if it’s blacklisted, and if the software has been tampered with since leaving the developer for distribution. Users can bypass Gatekeeper warnings by Control-clicking an installer and selecting Open from the pop-up menu–if this method is required by the software developer, it’s a red flag.

Apple releases security patches through OS updates, so installing them as soon as possible is important. And as always, when downloading software, get it from trusted sources, such as the App Store (which makes security checks of its software) or directly from the developer. Macworld has several guides to help, including a guide on whether or not you need antivirus software, a list of Mac viruses, malware, and trojans, and a comparison of Mac security software.

MacOS