macOS MetaStealer attacks take aim at business Mac users

Article hero image

Malware attacks against MacOS continue to be a problem because the main reason the attacks are successful is by forcing users to open executable files. In a report on a family of macOS “infostealers” called “MetaStealers,” security researchers explain how it works by tricking users into opening disk images.

According to SentinelOne’s Phil Stokes: MetaStealer Attacker Are Target companies Running macOS systems. By pretending to be fake clients, victims are socially tricked into running the malicious payloads on their computers Mac.

Many samples provided to SentinelOne show that the disk image file containing the payload was often given names that might be of interest to business users. This ranges from names for presentations to a “Concept A3 full menu with dishes and translations into English” to a “Payment agreement and confidentiality agreement Lucasprod”. [sic]right down to the names of installers for Adobe products such as Photoshop.

Direct targeting of business users is believed to be unusual for malware users as it is typically distributed in large quantities, for example via fake torrents.

The effort to achieve an installation is also made more difficult for hackers in a number of ways. Because the disk image contains the bare minimum content that exists beyond the payload, the file also typically does not contain an Apple developer ID string and does not use code signing or ad hoc signing at all.

This creates additional obstacles, namely that attackers must somehow convince the potential victim to override Gatekeeper and OCSP. All samples collected are Intel x86_64 binaries with a single architecture. So while they could be used directly on Intel Macs, they would need to use Rosetta to run Apple Silicon Macs.

While users should be vigilant and careful when opening questionable files sent by others or downloaded from unofficial sources, Apple has already put some protections in place. As part of the XProtect x2170 update, Apple is adding a detection signature that affects some versions of MetaStealer.

SentinelOne has also published a list of indicators of compromise intended for use by enterprise IT and security teams (see below).

• AdobeOfficialBriefDescription.dmg 00b92534af61a61923210bfc688c1b2a4fecb1bb
• Adobe Photoshop 2023 (with AI) installer.dmg 51e8eaf98b77105b448f4a0649d8f7c98ac8fc66
• Description of services for advertising (MacOS presentation).dmg 4da5241119bf64d9a7ffc2710b3607817c8df2f
• AnimatedPoster.dmg c2cd344fbcd2d356ab8231d4c0a994df20760e3e
• CardGame.dmg 5ba3181df053e35011e9ebcc5330034e9e895bfe
• Payment contract and confidentiality agreement Lucasprod.dmg dec16514cd256613128b93d340467117faca1534
• FreyaVR 1.6.102.dmg d3fd59bd92ac03bccc11919d25d6bbfc85b440d3
• Matrix.dmg 3033c05eec7c7b98d175df2badd3378e5233b5a2
• OfficialBriefDescription.app.zip 345d6077bfb9c55e3d89b32c16e409c508626986
• P7yersOfficialBriefDescription 1.0.dmg 35bfdb4ad20908ac85d00dcd7389a820f460db51
• PDF.app.zip aa40f3f71039096830f2931ac5df2724b2c628ab
• TradingView.dmg e49c078b3c3f696d004f1a85d731cb9ef8c662f1
• YoungClass short presentation Mac 20OS.zip 3161e6c88a4da5e09193b7aac9aa211a032526b9
• YoungSUG(Cover references, tasks, logos, short description)\YoungSUG_Official_Brief_Description_LucasProd.dmg 61c3f2f3a7521920ce2db9c9de31d7ce1df9dd44

• 13[.]114,196[.]60
• 13[.]125.88[.]10

• api.osx-mac[.]com
• builder.osx-mac[.]com
• db.osx-mac[.]com

• Bourigaultn Nathan (U5F3ZXR58U)

• 0edd4b81fa931604040d4c13f9571e01618a4c9c
• 13249e30a9918168e79cdb0f097e4b34fbbd891f
• 13bcebdb4721746671e0cbffbeed1d6d92a0cf6c
• 1424f9245a3325c513a09231168d548337ffd698
• 148bc97ff873276666e0c114d22011ec042fb9b9
• 15c377eb5a69f93fa833e845d793691a623f928c
• 166ff1cd47a45e47721bb497b83cc84d8269b308
• 1b3ce71fa42f4c0c16af1b8436fa43ac57d74ce9
• 1cc66e194401f2164ff1cbc8c07121475a570d9f
• 1df31db0f3e5c381ad73488b4b5ac5552326baac
• 1df8ff1fe464a0d9baaeead3c7158563a60199d4
• 1e5319969d6a53efc0ec1345414c62c810f95fce
• 291011119bc2a777b33cc2b8de3d1509ed31b3da
• 2c567a37c49af5bce4a236be5e060c33835132cf
• 33a5043f8894a8525eeb2ba5d80aef80b2a85be8
• 34c7977e20acc8e64139087bd16f0b0a881b044f
• 3589dd0d01527ca4e8a2ec55159649083b0c50a8
• 35c3b735949151aae28ebf16d24fb32c8bcd7e6b
• 35e14d8375f625b04be43019ccb8be57656b15cf
• 394501f410bd9cb4f4432a32b17348cdde3d4157
• 47620d2242dfaf14b7766562e812b7778a342a48
• 57c2302c30955527293ed90bfaf627a4132386fb
• 65de53298958b4f137c4bd64f31f550dd2199c36
• 70625f621f91fd6b1a433a52e57474316e0df662
• 78e8f9a93b56adc8e030403ba5f10f527941f6ae
• 80c83e659c63c963f55c8add4bf62f9bec73d44e
• 816fdf1fd9cf9aff2121d1b59c9cca38b5e4eb9d
• 86eb7c6a4d4bec5abeb6b44e0506ab0d5a96235d
• 8dfeda030bd3b38592b29d633c40e041d5f3331d
• 8ec57c1b1b5409cadb99b050c3c41460d4c7fea8
• 8f211c0ef570382685d024cc8e6e8acd4a137545
• 90d7f8acf3524fcb58c7d7874a5b6e8194689b1a
• 92b178817a6c9ad22f10b52e9a35a925a3dc751b
• a54c9906d41b04b9daf89c2e6eb4fdd54d0eae39
• a8724eb5f9f8f4607b384154f0c398fce207259e
• b51d7482d38dd19b2cb1cd303e39f8bddf5452ac
• bd6b87c6f4f256fb2553627003e8bce58689d1d8
• bdd4ce8c2622ddcf0888e05690c8b3d1a8c83dae
• be1ac5ed5dfd295be15ba5ed9fbb69f10c8ec872
• c37751372bb6c970ab5c447a1043c58ce49e10a5
• c4d9272ef906c7bf4ccc2a11a7107d6b7071537b
• c5429b9b4d1a8e147f5918667732049f3bd55676
• caf4fb1077cea9d75c8ae9d88817e66c870383b5
• cf467ca23bdb81e008e7333456dfceb1e69e9b8a
• cfa56e10c8185792f8a9d1e6d9a7512177044a8b
• d7de135a03a2124c6e0dfa831476e4069ebfba24
• dbf0983b29a175ebbcf7132089e69b3999adeca7
• dfd5adb749cbc5608ca915afed826650fcb0ff05
• e5cfc40d04ea5b1dac2d67f8279c1fd5ecf053f6
• f6f09ecc920eb694ed91e4ec158a15f1fb09f5dd
• f93dd5e3504fe79f7fcd64b55145a6197c84caa2
• f97e22bad439d14c053966193fdfdec60b68b786
• fce7a0c00bfed23d6d70b57395e2ec072c456cba