Full Report
Cybersecurity researchers are alerting to a new campaign that leverages web injects to deliver a new Apple macOS malware known as FrigidStealer. The activity has been attributed to a previously undocumented threat actor known as TA2727, with the information stealers for other platforms such as Windows (Lumma Stealer or DeerStealer) and Android (Marcher). TA2727 is a "threat actor that uses fake
Analysis Summary
# Threat Actor: TA2727
## Attribution & Identity
TA2727 is a newly identified, financially motivated threat actor believed to be active since at least September 2022. They operate in conjunction with TA2726 (a Malicious Traffic Distribution System operator) and TA569.
## Activity Summary
TA2727 conducts campaigns that leverage web injects on compromised websites to deliver malware payloads tailored based on the recipient's geography or device. The current focus is distributing a new Apple macOS malware known as **FrigidStealer** to macOS users residing outside of North America, delivered via a fake update redirect. Historically, they have been linked to the distribution of other malware families like Lumma Stealer (Windows), and Marcher (Android).
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Uses malicious JavaScript website injects that mimic legitimate browser (Chrome/Edge) updates to lure victims into downloading malware.
- **Payload Deployment Customization:** Tailors the malware payload based on the victim's geography or device type.
- **macOS Exploitation:** On macOS, the payload is delivered as an installer that, when run, bypasses Gatekeeper protections (requires users to explicitly launch the unsigned app).
- **Windows Exploitation (Observed):** Prompt users to download an MSI installer file that launches Hijack Loader, which subsequently loads Lumma Stealer.
- **Android Exploitation (Observed):** Redirects users to deploy the Marcher banking trojan.
- **Privilege Escalation (FrigidStealer):** Leverages AppleScript to prompt the user to enter their system password, granting elevated privileges.
- **Code Execution:** FrigidStealer executable was written in Go and built with the WailsIO project, rendering content in the browser to enhance social engineering.
## Targeting
- **Sectors:** Enterprise and consumer users.
- **Geography:** Targets users outside of North America for macOS campaigns (specifically mentioned France and the U.K. for Windows targeting observed in the chain).
- **Victims:** Individuals using Windows, Android, and macOS devices visiting compromised websites.
## Tools & Infrastructure
- **Malware Families used:**
- **FrigidStealer** (New macOS information stealer)
- **Lumma Stealer** (Windows information stealer)
- **Marcher** (Android banking trojan)
- **Hijack Loader** (DOILoader)
- **Infrastructure:** Utilizes infrastructure provided by TA2726, which performs website compromises leading to the malicious JavaScript web injects.
## Implications
TA2727 demonstrates sophistication by customizing malware delivery based on the victim's OS and location, indicating thorough reconnaissance of visitor attributes. The successful targeting of macOS users, often considered less common in enterprise environments, highlights the actor's efforts to expand their reach beyond traditional Windows targets. The use of social engineering overlays (fake updates) combined with techniques to bypass macOS security features like Gatekeeper poses a significant and evolving threat.
## Mitigations
- Implement robust endpoint security solutions capable of detecting behavioral anomalies associated with information stealers.
- Educate users about the dangers of installing software from fake software update prompts encountered during general web browsing.
- Ensure systems are configured to enforce strong application signature verification to mitigate attempts to bypass Gatekeeper.
- Review systems for unusual AppleScript prompts requesting elevated system passwords, as this is a key step in the FrigidStealer execution chain.