A new information-stealing malware named MetaStealer has appeared in the wild, targeting macOS systems. This malicious software is built using the Go programming language and can steal a variety of sensitive data from victims. 

Distribution process

According to SentinelOne researchers, many samples of the malware are targeting macOS business users through social engineering tactics, where attackers pose as fake design clients and lure victims into executing malicious payloads. 
  • These lures are often in the form of malicious application bundles in disk image format  (.dmg) with names such as Brief_Presentation-Task_Overview-(SOW)-PlayersClub, AnimatedPoster, CONCEPT A3 full menu with dishes and translations to English, and Advertising terms of reference (MacOS presentation). 
  • In one case, a disk image file with the name ‘Conract for payment & confidentiality agreement Lucasprod’ was used to distribute a MetaStealer version.
  • Researchers also noticed several instances where attackers leveraged popular software names, such as Adobe, to trick victims into downloading the malware.

Malware specifics

  • The primary component in MetaStealer bundles is a Mach-O file that is written in Intel x86 assembly language. 
  • This file contains compiled Go source code that has been purposefully obfuscated and made difficult to understand. 
  • The Go Build ID has been removed, and the names of functions have been obscured. 
  • This method of obfuscation used in this malware is similar to the techniques employed in other malware like Sliver and Poseidon
  • Moreover, researchers claim that several variants of MetaStealer malware are capable of Apple's built-in antivirus tech XProtect.
 
Last week, a new version of Atomic Stealer was spotted using a fake TradingView application to target macOS users. Interestingly, some variants of MetaStealer are also pretending to be TradingView.

Is MetaStealer similar to Atomic Stealer?

  • Despite both being infostealers built with Go and using osascript to show error messages upon execution, there is not much similarity in the actual code used between MetaStealer and Atomic Stealer. 
  • Additionally, the network infrastructure and method of distributing MetaStealer campaigns differ significantly from what is observed in Atomic Stealer.

Conclusion

The appearance of yet another macOS infostealer highlights the rising trend towards targeting Mac users. While Apple’s XProtect update v2170 contains a detection signature for some versions of MetaStealer, organizations can take action against other variants by reviewing the indicators associated with the malware and deploying adequate security solutions.
Cyware Publisher

Publisher

Cyware