Patcay.com – Apple macOS users have become vulnerable targets for a barrage of dangerous malware masquerading as advertisements and fake websites.
It has been revealed that hackers have been spreading two different types of information-stealing malware, one of which is named Atomic Stealer.
On Monday (4/1/2024), this theft of personal data targeting macOS users employed new methods to infiltrate the victims’ Mac devices.
However, it is noteworthy that the malware operates silently, with the aim of stealing personal data without the owner’s knowledge.
Read more : US Cryptocurrency ETF Inflows Have Increased as the Price of Bitcoin Rebounds
Threat Intelligence Team from Jamf disclosed that one series of attacks targets users searching for Arc Browser on the Google search engine.
Upon clicking, users are directed to a fake site (“airci[.]net”) which secretly embeds malware.
![](https://patcay.com/wp-content/uploads/2024/04/063810100_1686292304-gsmarena_004__3_.webp)
“Interestingly, this malicious site cannot be accessed directly due to an error,” security researchers Jaron Bradley, Ferdous Saljooki, and Maggie Zirnhelt revealed.
Read more : Hackers Target Critical Data of Germany
Only certain macOS users can access the site through special links. “A rather clever way to avoid detection.”
Once inside, users are prompted to download a fake disk image (“ArcSetup.dmg”) containing the Atomic Stealer malware.
Reportedly, this malware will instruct users to enter their system password via fake commands.
Furthermore, researchers from Jamf also discovered a fake site named meethub[.]gg offering free group meeting scheduling software.
However, what actually happens is that the software injects another information-stealing malware capable of taking user key data, fetching credentials from web browsers, to information in cryptocurrency wallets.
Moreover, an unofficial website was found distributing a trojan version of pirated applications which successfully infected Apple macOS users with new Trojan-Proxy malware.
Security researchers from Kaspersky found that attackers could use this malware to establish proxy server networks or engage in criminal activities on behalf of victims.
These criminal activities vary, ranging from attacks on websites to purchasing weapons, drugs, and other illegal items.
On Monday (12/11/2023), it was found that this malware poses a cross-platform threat, with related tools discovered for Windows and Android connected to pirated applications.
The macOS variant spreads disguised as various multimedia, image editing, data recovery, to productivity tools applications, targeting users who often seek pirated applications.
Meanwhile, applications infected with trojan-proxy malware are delivered in .PKG installer form, which then automatically activates post-installation scripts after being installed.
The main goal of this attack is to launch the Trojan-Proxy disguised as WindowServer process in macOS to deceive detection.
The Trojan-Proxy then connects to command-and-control (C2) servers and can act as a proxy through TCP or UDP to redirect traffic through infected devices.
To counter this threat, it is crucial for users to avoid downloading applications from unreliable sources. Awareness of the risks associated with pirated applications is also key to protecting oneself from such malware attacks.