This year has seen an explosion of infostealers targeting the macOS platform. Throughout 2023, we have observed a number of new infostealer families including MacStealer, Pureland, Atomic Stealer and RealStealer (aka Realst). Over the last few months, we have also been tracking a family of infostealers we call ‘MetaStealer’. Last week, Apple dropped a new signature for XProtect that detects some (but not all) variants of the MetaStealer family.
In this post, we describe how MetaStealer differs from other recent stealers, as well as indicate some intriguing overlaps with other malware. We highlight how threat actors are proactively targeting macOS businesses by posing as fake clients in order to socially engineer victims into launching malicious payloads, and we provide a comprehensive list of indicators to help threat hunters and security teams identify MetaStealer in their environments. All SentinelOne customers are automatically protected from macOS MetaStealer.
MetaStealer Droppers Targeting Businesses
Many of the samples of MetaStealer we have observed are distributed in malicious application bundles contained in disk image format (.dmg) with names indicating that the targets were business users of Mac devices.
MetaStealer disk images contain names such as
“Advertising terms of reference (MacOS presentation).dmg”
“CONCEPT A3 full menu with dishes and translations to English.dmg”
Many of the disk image droppers contain names that include the words “Official Brief Description” such as “(Cover references,tasks,logos,brief)YoungSUG_Official_Brief_Description_LucasProd.dmg”, suggesting that these were lures aimed at business users of macOS.
In one case, a malicious version of MetaStealer with the name “Conract for paymen & confidentiality agreement Lucasprod.dmg” was uploaded to VirusTotal with a comment from the victim describing how they were lured.
Against my better judgement I mounted the image to my computer to see its contents. It contained an app that was disguised as a PDF, which I did not open and is when I realized he was a scammer.”
Other versions of MetaStealer we have seen use names masquerading as Adobe files or software such as “AdobeOfficialBriefDescription.dmg” and “Adobe Photoshop 2023 (with AI) installer.dmg”.
MetaStealer Disk Image
This specific targeting of business users is somewhat unusual for macOS malware, which is more commonly found being distributed via torrent sites or suspicious third-party software distributors as cracked versions of business, productivity or other popular software.
MetaStealer Malicious Application Bundles
The applications inside the MetaStealer disk images contain the minimum required to form a valid macOS bundle, namely an Info.plist file, a Resources folder containing an icon image and a MacOS folder containing the malicious executable.
Contents of a typical MetaStealer bundle
Although we have seen some versions carrying an Apple Developer code signature embedded in the executable (Bourigaultn Nathan (U5F3ZXR58U), none of the samples we observed attached a code signature or used ad hoc signing. This means that to gain execution, the threat actor would likely need to guide or persuade the victim to override protections such as Gatekeeper and OCSP.
Interestingly, all the samples we have collected are single architecture x86_64 binaries, meaning that they will only run on Apple’s Apple silicon M1 and M2 machines with the help of Rosetta.
Early samples of MetaStealer began appearing on VirusTotal around March 2023 and increased throughout the summer. The most recent sample we are aware of was uploaded to VirusTotal on 27 August. Apple updated its malware blocking tool XProtect to version 2170 in the week commencing 4 September.
However, some of the samples in our collection that appeared in June and July remain undetected by XProtect after this update; these include the following malicious Mach-O executables:
MetaStealer Obfuscated Go Executable
The main executable in MetaStealer bundles is an Intel x86 Mach-O containing compiled and heavily obfuscated Go source code. The Go Build ID has been stripped and function names obfuscated. The obfuscation method bears similarity to that used in obfuscated Sliver and Poseidon malware binaries, and may be a product of the garble obfuscator or similar.
main.main functions in MetaStealer
Despite the obfuscation, some tell-tale signs of the binary’s tasking remain as artifacts. In particular, we can identify functions for exfiltrating the keychain, extracting saved passwords, and grabbing files.
Some, but not all, versions contain methods seemingly targeting Telegram and Meta services.
Samples of MetaStealer have been observed reaching out to one of the following domains:
MetaStealer has also been observed attempting to open an outgoing TCP connection to either host 13[.]125.88[.]10 or 13[.]114.196[.]60 over port 3000.
Is MetaStealer Related to Atomic Stealer?
Earlier this year we documented how another macOS infostealer, Atomic Stealer, was being offered for rent to threat actors via a Telegram channel. Last week, other researchers noted that a version of Atomic Stealer was being distributed via malvertising through Google Ads using a typosquatting technique to deliver a fake TradingView application. Interestingly, some versions of MetaStealer are also masquerading as TradingView.
MetaStealer masquerading as Trading View
However, despite both being Go-based infostealers that also use osascript to display error messages to the user on execution, we see little actual code overlap between MetaStealer and Atomic Stealer. We also note that the network infrastructure and observed method of delivery in MetaStealer campaigns is rather different to that seen in Atomic Stealer.
At this point, we cannot rule out that the same team of malware developers could be behind both stealers and that differences in delivery are due to different buyers of the malware, but it is also equally possible that entirely different individuals or teams are simply using similar techniques to achieve the same objectives.
How to Stay Safe from MetaStealer Malware
The SentinelOne Singularity platform detects these and all other samples of MetaStealer malware both on-write and on execution.
As noted above, Apple’s XProtect update v2170 contains a detection signature for some versions of MetaStealer but not all, so organizations without SentinelOne or other capable security solution are advised to review the indicators below for threat hunting and mitigation.
The appearance of yet another macOS infostealer this year shows the trend towards targeting Mac users for their data continues to rise in popularity among threat actors. What makes MetaStealer notable among this crop of recent malware is the clear targeting of business users and the objective of exfiltrating valuable keychain and other information from these targets. Such high-value data can be used to pursue further cybercriminal activity or gain a foothold in a larger business network.
All Mac users are advised to ensure they have an adequate security solution in place and IT and security teams are encouraged to review the comprehensive list of IoCs below.
Indicators of Compromise
Adobe Photoshop 2023 (with AI) installer.dmg
Advertising terms of reference (MacOS presentation).dmg
Conract for paymen & confidentiality agreement Lucasprod.dmg
YoungClass brief presentation Mac 20OS.zip
Mach-O Binaries – Intel x86_64
Bourigaultn Nathan (U5F3ZXR58U)