- Microsoft warns macOS now faces a rapidly expanding malware and infostealer ecosystem
- Threat actors use social engineering and malicious ads to deliver DMG installers with variants like DigitStealer, MacSync, and AMOS
- Attackers target browser sessions, cloud tokens, and developer credentials, while abusing legitimate tools like WhatsApp and Google Ads for propagation
Gone are the days when Windows was always the number one target for cybercriminals - as new research has found macOS is equally as important, with users facing a “rapidly expanding” ecosystem of malware, social engineering tactics, and legitimate but weaponized tools.
A Microsoft report found hackers are using social engineering techniques such as ClickFix (faking a problem and offering a “solution”), and malicious advertising campaigns, to deliver disk image (DMG) installers.
These installers then drop all sorts of nasties, but a few malware variants stand out - DigitStealer, MacSync, and Atomic macOS Stealer (AMOS). Microsoft also said that cross-platform malware, like the ones written in Python, is accelerating infostealer activity since it allows threat actors to quickly adapt across mixed environments.
Long-running aggregation effort
Most of the time, the crooks are interested in stealing sensitive data. However, that no longer means just passwords - it also includes browser sessions, keychains, cloud tokens, and developer credentials, since these secrets enable account takeovers, supply chain compromise, BEC and ransomware attacks and, in some cases, direct cryptocurrency theft.
Microsoft also observed the abuse of legitimate tools and services. For example, it has seen hackers compromising people’s WhatsApp accounts and then using them to propagate infostealers and other malware.
In other cases, they’ve seen malicious ad campaigns running on the Google Ads network, promoting a fake PDF editor that not only deploys an infostealer, but also establishes persistence, too.
The company has also shared a long list of recommendations and mitigations that businesses should follow, including educating employees about phishing, monitoring for suspicious Terminal activity, and inspecting network egress for POST requests to newly registered or suspicious domains.
Also, businesses should turn on cloud-delivered protection in Defender, deploy cloud-based machine learning protections, run EDR in block mode, and more.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
