Full Report
The FakeUpdate malware campaigns are increasingly becoming muddled, with two additional cybercrime groups tracked as TA2726 and TA2727, running campaigns that push a new macOS infostealer malware called FrigidStealer. [...]
Analysis Summary
# Tool/Technique: FrigidStealer
## Overview
FrigidStealer is a newly discovered infostealer malware specifically targeting macOS systems. It is distributed via social engineering tactics, primarily through fake browser update prompts on compromised websites, leading to the installation of a malicious DMG file. Its primary goal is to harvest sensitive user data, including browser credentials, crypto wallet information, and documents.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: macOS
- Capabilities: Stealing browser cookies/credentials (Safari, Chrome), extracting crypto wallet credentials, harvesting Apple Notes, collecting documents (spreadsheets, text files).
- First Seen: Information not explicitly available in the text, but documented as "New."
## MITRE ATT&CK Mapping
*Note: Specific ATT&CK IDs are inferred based on the described functionalities.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.002 - Spearphishing Link (Implied via link/prompt leading to download)
- **TA0009 - Collection**
- T1119 - Data from Local System
- T1119.001 - Data from Storage (Stealing files from Home Directory)
- T1005 - Data from Local System
- T1005.001 - Data from Browser (Stealing saved cookies and login credentials)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Execution via Social Engineering:** Relies on users clicking prompts for "updates" which deliver a malicious file.
- **macOS Persistence/Bypass:** Delivered as a DMG file. On macOS, execution requires the user to manually right-click and select "Open," followed by entering their password to bypass Gatekeeper protections.
- **Credential Harvesting:** Specifically targets saved cookies and login credentials from Safari and Chrome browsers.
- **Sensitive File Collection:** Scans the user's Desktop and Documents folders for crypto wallet credentials, reads Apple Notes, and collects general documents/spreadsheets/text files from the user's home directory.
### Advanced Features
- **WailsIO Framework:** Built using the Go-based malware and the WailsIO framework, designed to make the installer appear legitimate and minimize user suspicion during infection.
- **Data Staging:** Stolen data is bundled, compressed, and stored in a hidden folder within the user's home directory before exfiltration.
## Indicators of Compromise
- File Hashes: [Not provided in text]
- File Names: DMG installer (Specific names not provided)
- Registry Keys: [Not applicable for macOS impact described]
- Network Indicators: C2 address at `askforupdate[.]org` (defanged)
- Behavioral Indicators: Execution following user interaction with a fake update prompt; creation of a compressed, hidden archive in the user's home directory; network connection to the known C2 domain.
## Associated Threat Actors
- [Not explicitly named, but implied to be part of global infostealer campaigns.]
## Detection Methods
- Signature-based detection: (Likely signatures available for the known FrigidStealer binaries/C2 communication).
- Behavioral detection: Monitoring for applications launching that utilize the WailsIO runtime or attempts to read multiple user credential stores (browser databases, Notes). Monitoring for the creation of hidden archives in the user's home directory.
- YARA rules: [Not provided in text]
## Mitigation Strategies
- **User Education:** Crucially important: Do not execute any downloads or commands prompted by random website elements, especially fake software updates, fixes, or CAPTCHAs.
- **Gatekeeper Awareness:** Recognize that manual elevation (right-click -> Open -> Password entry) is often required for initial execution of unknown software.
- **Post-Infection Response:** If infected, immediately change passwords for all accounts, especially where the same password may have been reused.
- **System Hardening:** Ensure macOS security features (Gatekeeper, XProtect, MRT) are functioning correctly.
## Related Tools/Techniques
- Lumma Stealer (Shared distribution vector via fake updates for Windows MSI)
- DeerStealer (Shared distribution vector via fake updates for Windows MSI)
- Marcher banking trojan (Shared distribution vector via fake updates for Android APK)