A new virus is attacking the Mac. Called FrigidStealer, the malware has just been identified by cybersecurity researchers at ProofPoint. It is programmed to steal sensitive information from infected computers, with the sole aim of making money.
A fake update traps Mac owners
To trap macOS users, attackers rely on a very common tactic, that of the fake update. Hackers will encourage the target to install the latest update for their browser via a pop-up window. This fake update actually hides the FrigidStealer malware. If the Internet user clicks on Update, they will open the door to their computer to the virus. In fact, the attack takes place in several stages.
First, the fake update will slide a DMG file onto the machine. You will need to click on this file, presented as the update file, for the DMG file to deploy. Users must manually launch the download by right-clicking on the file and then choosing “Open”. They will then have to enter their password to bypass Gatekeeper, the mechanism that protects users against viruses and unsecured applications. Before installation, it checks whether the application comes from a reliable source and a developer recognized by Apple.
First, the hackers will compromise websites. They will indeed inject malicious Javascript code into the HTML code of the site. Once compromised, the site will display false notifications indicating that it is urgent to install the latest update of the web browser. The alert appears to come from Google Chrome or Safari, depending on the victim's browser.
To choose their victims, cybercriminals use a TDS (Traffic Distribution System), a tool used to redirect Internet traffic based on specific criteria, such as geographic location, device type, or user behavior. Based on this information, hackers will eliminate certain targets and prioritize others. It is mainly the operating system and browser that determine whether the Internet user will see the malicious window.
A crypto thief
Once deployed, FrigidStealer retrieves cookies, login credentials, and password files saved in Safari or Chrome. Then, it starts looking for information that can be used to rob cryptocurrency holders, such as private keys. With these keys, it is possible to siphon off the entire contents of a wallet on the blockchain. The virus will scan all of the computer's folders, the Notes app, text files, and spreadsheets in the hope of finding the keys. The stolen data was then exfiltrated.
Two gangs behind the attack
Behind this cyberattack are two hacker gangs, TA2726 and TA2727. The two groups have pooled their resources as part of the operation. The first gang is responsible for injecting malicious code into websites, while the second focuses on developing the FrigidStealer virus.
Researchers have noticed that both gangs also target Windows computers and Android smartphones. In these cases, they exploit widespread viruses, such as Lumma Stealer, DeerStealer, or Marcher, a banking Trojan. The campaign is active in several countries, including France. We therefore recommend that you remain cautious and be wary of pop-ups that appear on the web.
Source: ProofPoint
0 Comments