Threat Research

FrigidStealer_Malware

Wazuh
FrigidStealer_Malware

FrigidStealer is a macOS-targeting information-stealing malware that disguises itself as a browser update to exfiltrate sensitive user data, including credentials and cryptocurrency wallets. This article explains its behavior and demonstrates how to detect FrigidStealer using Wazuh custom decoders and rules on macOS endpoints. #FrigidStealer #EvilCorp

Keypoints

  • FrigidStealer emerged in January 2025 as malware that targets macOS by distributing itself via fake browser update pages hosting malicious DMG files.
  • The malware registers itself as an application named “ddaolimaki-daunito” and achieves persistence via launchservicesd with the bundle ID “com.wails.ddaolimaki-daunito”.
  • It steals sensitive data such as browser credentials, system files, and user information by abusing Apple Events for unauthorized inter-process communication.
  • FrigidStealer exfiltrates stolen data to a command-and-control (C2) server using DNS data exfiltration through the mDNSResponder process.
  • After exfiltration, the malware terminates its process and removes associated jobs to evade detection on the macOS endpoint.
  • The article provides detailed instructions on configuring Wazuh agents and creating custom decoders and detection rules to identify FrigidStealer activities in macOS unified logs.
  • Users can visualize alerts via the Wazuh dashboard to monitor and respond proactively to FrigidStealer infections on macOS endpoints.

MITRE Techniques

  • [T1204] User Execution – The malware tricks users into running the malicious DMG under the guise of a browser update. (‘app being registered is:”ddaolimaki-daunito”‘)
  • [T1105] Ingress Tool Transfer – Suspicious DNS queries indicate possible data exfiltration to the C2 server. (‘FrigidStealer malware is making a suspicious DNS query to $(hash)’)
  • [T1041] Exfiltration Over C2 Channel – Data theft occurs via DNS exfiltration to the command-and-control infrastructure.
  • [T1071.004] Exfiltration Over Alternative Protocol – Utilizes DNS queries through mDNSResponder for stealthy data exfiltration.
  • [T1543] Create or Modify System Process – Persistence achieved by registering as a launchservicesd foreground application with a forged bundle ID.
  • [T1055] Process Injection – Uses Apple Events to perform unauthorized inter-process communication for data access.
  • [T1559] Inter-Process Communication – Exploits Apple Events to interact with system services and steal data.
  • [T1489] Service Stop – The malware terminates its process post-exfiltration to evade detection. (‘Removed job for.ddaolimaki.‘)
  • [T1541] System Image Load – Installs itself as a foreground application under the cleaned bundle ID to maintain persistence.

Indicators of Compromise

  • [File Hashes] Sample hashes identified in the analysis – SHA256: e1202c017c76e06bfa201ad6eb824409c2529e887bdaf128fc364bdbc9e1e214, SHA1: a8e3970d7d769abf98025bfaf94b516aacf92bd1, MD5: 3ab50c5a076aad3571dd3c9d32c6e6a
  • [File Name] Malicious executable path – Volumes/Safari Updater/Safari Updater.app identified as FrigidStealer’s payload.
  • [Process Names] Processes involved – ddaolimaki-daunito, launchservicesd, mDNSResponder.
  • [Bundle ID] Malicious persistence identifier – com.wails.ddaolimaki-daunito.
  • [Domains/Network] Command-and-control communication via DNS queries observed through mDNSResponder (specific domain names not listed).

Read more: https://wazuh.com/blog/detecting-frigidstealer-malware-with-wazuh/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint