FrigidStealer is a newly identified macOS malware that targets users through fake browser updates. This sophisticated malware campaign is attributed to the threat actor TA2727 and leverages advanced techniques to steal sensitive information from macOS systems.
Emergence and Tactics
Target Audience
- Primary Targets: The campaign primarily targets macOS users, particularly those residing outside of North America. The geographical focus suggests a strategic approach by the attackers to exploit specific regions.
Phishing Techniques
- Fake Browser Updates: Attackers use compromised websites to present fake browser update prompts to visitors. These prompts mimic legitimate updates for popular browsers like Google Chrome and Safari.
- Malicious DMG Files: When users click the “Update” button, they unknowingly download a malicious DMG file. This file contains the FrigidStealer malware, which is designed to bypass macOS Gatekeeper protections.
Infection Chain
Initial Infection
- Compromised Websites: The attack chain begins when a user visits a compromised website. The Traffic Distribution System (TDS) operated by TA2726 redirects the user to a malicious domain controlled by TA2727.
- Fake Update Prompts: Depending on the user’s device and browser, they receive tailored fake update prompts. For macOS users, the malware appears as a legitimate browser update.
Installation Process
- Bypassing Gatekeeper: The installation process prompts the user to bypass macOS Gatekeeper security by manually launching the unsigned app.
- Mach-O Executable: FrigidStealer runs a Mach-O executable built with the WailsIO framework, making the fake installer appear authentic. The executable is written in Go and ad-hoc signed to evade detection.
Keylogger Functionality
Data Collection
- AppleScript and osascript: FrigidStealer employs AppleScript and osascript to prompt the user to enter their system password, thereby gaining elevated privileges.
- Sensitive Data Harvesting: The malware collects sensitive data, including browser cookies, cryptocurrency-related files, and Apple Notes. While locked notes in Apple Notes are end-to-end encrypted, any unlocked notes or those stored as plain files in the Desktop or Documents folders are vulnerable.
Data Exfiltration
Exfiltration Channels
- Command-and-Control Server: The stolen data is exfiltrated to a command-and-control server at askforupdate[.]org. This server receives the harvested information, allowing the attackers to access and exploit the stolen data.
Indicators of Compromise (IoCs)
- Suspicious Update Prompts: Be wary of unexpected software update prompts, especially if they appear while browsing the web.
- Unusual Network Traffic: Monitor for unusual network traffic involving communication with the command-and-control server.
- Executable Presence: Look out for the presence of executables like the malicious DMG file and scripts associated with FrigidStealer.
Mitigation Measures
Immediate Actions
- User Awareness and Training: Educate users about the dangers of fake update scams and the importance of verifying the authenticity of software updates.
- Email Filtering: Implement advanced email filtering solutions to detect and block phishing emails with malicious attachments.
- Antivirus and Endpoint Protection: Ensure that antivirus and endpoint protection solutions are up-to-date and capable of detecting and blocking malicious documents and executables.
Final Thoughts
The FrigidStealer malware campaign highlights the evolving tactics of cybercriminals and the increasing sophistication of phishing schemes. By leveraging fake browser updates and advanced evasion techniques, attackers have successfully deployed a persistent keylogger that captures sensitive information from macOS systems and exfiltrates it to remote servers. It is crucial for individuals and organizations to remain vigilant and implement robust cybersecurity measures to protect against such threats.
