A recently discovered information-stealing malware called MetaStealer is targeting Apple macOS, joining the growing list of stealer families focused on this operating system.
According to Phil Stokes, a security researcher at SentinelOne, threat actors behind MetaStealer are actively targeting macOS-based businesses by posing as fake clients, engaging victims to execute malicious payloads. This malware is distributed in the form of rogue application bundles in DMG format, often shared through ZIP archives.
Evidence suggests that MetaStealer emerged in March 2023, with the most recent sample surfacing on August 27, 2023. What sets MetaStealer apart is its specific focus on business users, an unusual approach for macOS malware, which is typically distributed through torrent sites or suspicious third-party software distributors. The payload includes an obfuscated Go-based executable with the ability to harvest data from iCloud Keychain, saved passwords, and files on compromised systems.
Additionally, certain variants of MetaStealer appear to target popular messaging platforms like Telegram and Meta (formerly Facebook).There are two possibilities regarding the origins of this malware: either the same authors are behind multiple stealer families, adopted by different threat actors due to varying delivery methods, or different actor groups are responsible.
This trend of macOS infostealers reflects an increasing focus on targeting Mac users, with MetaStealer standing out for its clear targeting of business users and its objective of extracting valuable data like keychain information. This stolen high-value data can be leveraged for further cybercriminal activities or to gain access to larger business networks, making MetaStealer a concerning addition to the macOS malware landscape.
