These fake macOS updates are actually just looking to spread malware

News
By
published

Two new threat actors were seen spreading new infostealers

A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
(Image credit: Getty Images)
  • Researchers from Proofpoint observE two groups engaging in "fake update" attacks
  • The groups have their separate assignments against macOS devices
  • The goal is to distribute FrigidStealer, a new infostealer malware

Cybercriminals are using fake macOS updates to distribute a new piece of malware called FrigidStealer, new research has claimed.

Cybersecurity researchers Proofpoint recently observed two new threat actors distributing the malware, tracked as TA2726 and TA2727, working together on different parts of the same campaign to get macOS users to install FrigidStealer.

They opted for the “fake update” distribution method, where victims would visit a compromised website which would serve a popup. That popup would warn users that they needed to update either their Macs, or their browsers, in order to view the contents of the website.

Targeting Windows, Linux, macOS, and Android

Instead of an actual update, the victims would download and run the installer for the FrigidStealer malware, which did what infostealers usually do - it steals information, including browser cookies, files containing passwords or cryptocurrency-related data, files from Apple Notes, and similar.

Stolen data is stored in the user's home directory before being sent to the attacker’s command and control (C2) server: askforupdate[.]org.

Proofpoint says that the malware is distributed by TA2727, a financially motivated cybercriminal group. TA2726, on the other hand, acts as a Traffic Distribution System (TDS) operator, redirecting web traffic to TA2727’s payloads.

The majority of the targets seem to be located in North America and Europe, and besides FrigidStealer, the crooks are also using Lumma Stealer and DeerStealer for Windows targets, and Marcher Banking Trojan for Android users.

Fake update attacks are nothing new, they’ve been around for years. The SocGholish malware campaign, attributed to the threat actor TA569, is recognized as one of the most prolific users of these attacks. Active since at least April 2018, SocGholish employs malicious JavaScript injected into compromised websites to present visitors with deceptive prompts for software updates, such as fake browser or Flash Player updates.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
Ransomware

Lee Enterprises blames cyberattack for encrypting critical systems as US newspaper outages drag on
Representational image depecting cybersecurity protection

Top venture capital firm Insight Partners confirms it was hit by cyberattack
An Exoborne promotional screenshot showing players using the glider.

Exoborne is on track to be the most approachable extraction shooter on the market, but will that be enough for it to succeed?
See more latest