Full Report
Researchers warn of rising macOS-targeted attacks as hackers exploit fake updates to bypass security. FrigidStealer malware highlights growing enterprise risks.
Analysis Summary
# Tool/Technique: FrigidStealer
## Overview
FrigidStealer is a sophisticated macOS malware distributed via "web inject" campaigns, often masquerading as legitimate browser update alerts. Its primary purpose is information theft, targeting credentials, password material, and sensitive files on compromised systems.
## Technical Details
- Type: Malware family
- Platform: macOS
- Capabilities: Information stealing, circumvention of macOS security controls (Gatekeeper) via deceptive user guidance.
- First Seen: February 2025 (based on the article date)
## MITRE ATT&CK Mapping
* **TA0001 - Initial Access**
* T1588.002 - Obtain Capabilities: Malicious Software
* **TA0005 - Defense Evasion**
* T1027 - Obfuscated Files or Information (Implied through social engineering to bypass controls)
* **TA0010 - Exfiltration**
* T1041 - Exfiltration Over C2 Channel (Implied data exfiltration)
## Functionality
### Core Capabilities
- **Distribution via Web Inject:** Delivery mechanism involves embedding malicious "Update" buttons on legitimate, otherwise secure websites.
- **Masquerading:** Presents itself as a routine browser update (Safari or Chrome).
- **Initial Payload Delivery:** Triggers the automatic download of a DMG file upon user interaction with the fake update prompt.
- **Information Stealing:** Extracts browser cookies, stored passwords, cryptocurrency-related files, and Apple Notes.
### Advanced Features
- **Gatekeeper Bypass:** Provides customized, official-looking instructions to guide the user through a process that explicitly bypasses macOS Gatekeeper security warnings. This often involves tricking the user into right-clicking the file or entering an administrative password.
- **Targeting:** Specifically targets information relevant to both personal and enterprise data exposure.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: DMG files associated with fake browser updates.
- Registry Keys: [Not applicable/provided for macOS]
- Network Indicators: [C2 infrastructure specifically related to TA2726/TA2727 traffic distribution is implied but not detailed.]
- Behavioral Indicators: Execution of a Mach-O executable following user interaction with a deceptive browser update prompt, attempt to gain credentials via installation prompts.
## Associated Threat Actors
- **TA2726:** Operates parts of the web-inject campaigns; may function as a Traffic Distribution Service (TDS) for other actors.
- **TA2727:** Known distributor of FrigidStealer (for macOS) and malware targeting Windows and Android.
## Detection Methods
- Signature-based detection: [Not specified, but typical for known file hashes/signatures of the Mach-O executable.]
- Behavioral detection: Monitoring for execution flows that involve user elevation/password entry to install downloaded DMGs originating from unexpected website interactions, especially those attempting to bypass standard application installation procedures.
- YARA rules: [Not provided]
## Mitigation Strategies
- **User Education:** Training users to critically evaluate software update prompts, especially those appearing mid-session on trusted websites, and never entering administrative passwords for software updates initiated this way.
- **Gatekeeper Enforcement:** Ensuring macOS Gatekeeper policies are configured strictly.
- **Application Control:** Restricting the execution of unsigned or un-notarized applications.
- **Right-Click Awareness:** Educating staff on the specific technique used (like right-clicking to bypass Gatekeeper prompts).
## Related Tools/Techniques
- **Web Inject Campaigns:** This distribution method is associated with various forms of malicious advertising/phishing intended to deliver diverse malware families.
- **Information Stealers:** Similar in goal to other macOS stealers targeting browser data and credentials.