Keypoints
- Attack 1 (Atomic Stealer) used sponsored search ads to redirect users to spoofed download sites (aricl[.]net / airci[.]net) serving an ad-hoc signed DMG that instructs users to bypass Gatekeeper.
- Atomic variant obfuscates strings with XOR (key 0x91) and calls a de-xor function (bewta()) before running AppleScript to collect files and credentials.
- Collected artifacts include browser data (Chromium/Chrome autofill, cookies, passwords), Notes DB, small desktop/Documents files with specific extensions, wallet files (e.g., Exodus), and keychain data; exfiltration is performed via HTTP POST with a base64-encoded ZIP to 193.233.132.188.
- Attack 2 (Meethub) distributed an unsigned macOS pkg (hash 7f22760d…) installing sleve (x86_64) which runs reconnaissance commands, repeatedly prompts for the macOS password, copies keychain files, and uses bundled chainbreaker to extract credentials.
- Meethub stealer collects browser credentials, credit card details, and data from Ledger/Trezor wallets, attempts code injection into Ledger, and reports progress and uploads archives to 46.101.104.172.
- Both campaigns rely on social engineering (sponsored links or targeted DMs), require user interaction to bypass Gatekeeper or provide passwords, and use obfuscation and common exfiltration techniques to evade detection.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – Attackers used sponsored search ads to redirect victims to spoofed download pages (‘following the sponsored result … actually brings you to a malicious site aricl[.]net’).
- [T1204.002] User Execution: Malicious File – Users are instructed to override Gatekeeper and right-click to open ad-hoc signed DMGs (‘DMG is signed ad-hoc and provides directions to right-click the app and select open thus overriding any Gatekeeper warnings’).
- [T1027] Obfuscated Files or Information – Malware encodes strings to evade static detection (‘most of them are xor encoded’ and uses a hardcoded xor key 0x91 with a bewta() function).
- [T1555.003] Credentials from Web Browsers – Stealers copy browser artifacts such as cookies and password databases for exfiltration (‘duplicate file “Cookies.binarycookies” …’ and listed Chrome autofill/Cookies/Password files).
- [T1555] Credentials from Password Stores – Malware unlocks and dumps macOS keychain data using the user’s password and chainbreaker (‘security unlock-keychain -p …’ and executing chainbreaker to collect passwords).
- [T1071] Application Layer Protocol – Exfiltration and status updates are sent over HTTP to attacker servers (‘POST /joinsystem … Host: 193.233.132.188’ and POSTs to 46.101.104[.]172 with archives).
- [T1055] Process Injection – The stealer attempts to inject or replace legitimate wallet software (Ledger) to achieve data theft or persistence (‘Found Ledger, try to inject’ and ‘Download new ledger … Success ledger’).
Indicators of Compromise
- [File hash] Poisoned Arc installer samples – 9d103cbad2b56f53a36f93316feda1de5513394d (ArcSetup.dmg), ba59bb35e8dfbe77676c8130c8c2d61c22b14564 (ArcSetup universal)
- [File hash] MeetHub samples and binaries – 7f22760d6d85f8173292d39ea087f35695ad65ab (MeetHub.pkg), 3865636ed27ae81f146ed5b9ac9a25f53a6d10a7 (sleve x86 binary)
- [File hash] Bundled chainbreaker tool – 50b8af2019adbbea310bce0259b4a3f3da2e4d7d (chainbreaker installer), and other chainbreaker variants (eecf5ffc… / 596fd483…)
- [Domain] Malicious download domains – https://aricl[.]net, https://airci[.]net
- [Domain] Meethub distribution domain – https://meethub[.]gg
- [IP address] Exfiltration and C2 endpoints – 193[.]233[.]132[.]188 (Atomic exfiltration), 46[.]101[.]104[.]172 (Meethub metrics/exfiltration)
- [File path] Observed install/executable path – /Applications/MeetHub.app/Contents/MacOS/sleve (execution of sleve observed)
The technical procedures observed for the Atomic Stealer campaign begin with poisoned sponsored search results that redirect to spoofed Arc download sites (aricl[.]net / airci[.]net). Victims receive an ad-hoc signed DMG that instructs them to bypass Gatekeeper; the binary contains XOR-obfuscated strings (XOR key 0x91) and calls a deobfuscation routine (bewta()) before invoking system() to run AppleScript payloads. These AppleScript commands create a FileGrabber folder, copy browser cookies and password files (Chromium/Chrome Autofill, Cookies.binarycookies, Password DBs), duplicate NoteStore SQLite files, and collect small desktop/Documents files with targeted extensions; the collected files are zipped, base64-encoded, and POSTed to 193.233.132.188 in an application/x-www-form-urlencoded body.
The MeetHub sample is distributed as an unsigned macOS pkg (MeetHub.pkg, hash 7f22760d…) that installs an x86_64 binary sleve (hash 3865636e…), which begins by running system reconnaissance (uname, sw_vers, ioreg) and then repeatedly prompts the user via osascript to enter their macOS password. Once the password is supplied, the stealer copies keychain files (cp ~/Library/Keychains …), runs security unlock-keychain, and executes a bundled chainbreaker binary (stored under Contents/Resources/extensions/installer, hash 50b8af20…) to extract stored credentials. The stealer also gathers browser credentials, credit card details, and wallet artifacts (Ledger, Trezor, Exodus files), attempts to replace or inject into Ledger to deliver a modified client, and reports progress via HTTP POSTs to 46.101.104.172 while uploading the zipped archive (e.g., /Users/…/data.zip) to attacker-controlled endpoints.
Mitigations should focus on blocking the listed domains and IPs, validating installer signatures, preventing execution of unsigned packages, monitoring for osascript prompts requesting passwords, detecting use of chainbreaker or unexpected copies of ~/Library/Keychains, and inspecting outbound HTTP POSTs containing large base64 payloads or uploads of ZIP archives.
Read more: https://www.jamf.com/blog/infostealers-pose-threat-to-macos/