These fake macOS updates are actually just looking to spread malware

A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.

(Image credit: Getty Images)

Researchers from Proofpoint observE two groups engaging in "fake update" attacks
The groups have their separate assignments against macOS devices
The goal is to distribute FrigidStealer, a new infostealer malware

Cybercriminals are using fake macOS updates to distribute a new piece of malware called FrigidStealer, new research has claimed.

Cybersecurity researchers Proofpoint recently observed two new threat actors distributing the malware, tracked as TA2726 and TA2727, working together on different parts of the same campaign to get macOS users to install FrigidStealer.

They opted for the “fake update” distribution method, where victims would visit a compromised website which would serve a popup. That popup would warn users that they needed to update either their Macs, or their browsers, in order to view the contents of the website.

Targeting Windows, Linux, macOS, and Android

Instead of an actual update, the victims would download and run the installer for the FrigidStealer malware, which did what infostealers usually do - it steals information, including browser cookies, files containing passwords or cryptocurrency-related data, files from Apple Notes, and similar.

Stolen data is stored in the user's home directory before being sent to the attacker’s command and control (C2) server: askforupdate[.]org.

Proofpoint says that the malware is distributed by TA2727, a financially motivated cybercriminal group. TA2726, on the other hand, acts as a Traffic Distribution System (TDS) operator, redirecting web traffic to TA2727’s payloads.

The majority of the targets seem to be located in North America and Europe, and besides FrigidStealer, the crooks are also using Lumma Stealer and DeerStealer for Windows targets, and Marcher Banking Trojan for Android users.

Fake update attacks are nothing new, they’ve been around for years. The SocGholish malware campaign, attributed to the threat actor TA569, is recognized as one of the most prolific users of these attacks. Active since at least April 2018, SocGholish employs malicious JavaScript injected into compromised websites to present visitors with deceptive prompts for software updates, such as fake browser or Flash Player updates.

Microsoft spies a new and worrying macOS malware strain
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.