- Researchers from Proofpoint observE two groups engaging in “fake update” attacks
- The groups have their separate assignments against macOS devices
- The goal is to distribute FrigidStealer, a new infostealer malware
Cybercriminals are using fake macOS updates to distribute a new piece of malware called FrigidStealer, new research has claimed.
Cybersecurity researchers Proofpoint recently observed two new threat actors distributing the malware, tracked as TA2726 and TA2727, working together on different parts of the same campaign to get macOS users to install FrigidStealer.
They opted for the “fake update” distribution method, where victims would visit a compromised website which would serve a popup. That popup would warn users that they needed to update either their Macs, or their browsers, in order to view the contents of the website.
Targeting Windows, Linux, macOS, and Android
Instead of an actual update, the victims would download and run the installer for the FrigidStealer malware, which did what infostealers usually do – it steals information, including browser cookies, files containing passwords or cryptocurrency-related data, files from Apple Notes, and similar.
Stolen data is stored in the user’s home directory before being sent to the attacker’s command and control (C2) server: askforupdate[.]org.
Proofpoint says that the malware is distributed by TA2727, a financially motivated cybercriminal group. TA2726, on the other hand, acts as a Traffic Distribution System (TDS) operator, redirecting web traffic to TA2727’s payloads.
The majority of the targets seem to be located in North America and Europe, and besides FrigidStealer, the crooks are also using Lumma Stealer and DeerStealer for Windows targets, and Marcher Banking Trojan for Android users.
Fake update attacks are nothing new, they’ve been around for years. The SocGholish malware campaign, attributed to the threat actor TA569, is recognized as one of the most prolific users of these attacks. Active since at least April 2018, SocGholish employs malicious JavaScript injected into compromised websites to present visitors with deceptive prompts for software updates, such as fake browser or Flash Player updates.
You might also like
https://cdn.mos.cms.futurecdn.net/8wom7TXsEex7ExUd8LhF2n-1200-80.jpg
Source link
