Threat Research

macOS MetaStealer | New Family of Obfuscated Go Infostealers Spread in Targeted Attacks 

Securonix

MetaStealer is a new macOS infostealer family that uses obfuscated Go binaries delivered in disk image droppers (.dmg) aimed at business users, with some variants undetected by Apple XProtect. The malware exfiltrates keychain data, saved passwords, and files, and is tied to social engineering campaigns that lure victims to run malicious payloads, sometimes masquerading as legitimate software like TradingView. #MetaStealer #macOS #TradingView #XProtect

Keypoints

  • MetaStealer is a macOS infostealer family that uses obfuscated Go binaries in disk-image droppers (.dmg) targeting business users.
  • The campaign heavily relies on social engineering, with threat actors posing as fake clients to persuade victims to launch malicious payloads.

MITRE Techniques

  • [T1566.002] Phishing – The article notes threat actors are proactively targeting macOS businesses by posing as fake clients in order to socially engineer victims into launching malicious payloads. “posing as fake clients in order to socially engineer victims into launching malicious payloads”
  • [T1204.002] User Execution – Victims are lured to launch malicious payloads contained in DMG droppers. “socially engineer victims into launching malicious payloads”
  • [T1555.001] Credentials in Password Stores – MetaStealer exfiltrates the keychain and saved passwords. “exfiltrating the keychain, extracting saved passwords, and grabbing files”
  • [T1027] Obfuscated/Compressed Files and Information – The main executable is heavily obfuscated Go code in an Intel Mach-O binary. “heavily obfuscated Go source code”
  • [T1059.005] AppleScript – Some versions use osascript to display error messages to the user on execution. “osascript to display error messages to the user on execution”
  • [T1071.001] Web Protocols – The malware contacts domains and IPs via network communications (e.g., api.osx-mac.com; 13.125.88.10, 13.114.196.60:3000). “open an outgoing TCP connection to either host 13[.]125.88[.]10 or 13[.]114.196[.]60 over port 3000.”
  • [T1036] Masquerading – MetaStealer is observed masquerading as legitimate software like TradingView. “masquerading as TradingView”

Indicators of Compromise

  • [File/Hash] Droppers (SHA256) – 00b92534af61a61923210bfc688c1b2a4fecb1bb, 51e8eaf98b77105b448f4a0649d8f7c98ac8fc66, and other hashes
  • [Filename] macOS dropper bundles – AdobeOfficialBriefDescription.dmg, TradingView.dmg, Advertising terms of reference (MacOS presentation).dmg
  • [Domain] Command and control domains – api.osx-mac.com, builder.osx-mac.com, db.osx-mac.com
  • [IP] Network entities – 13.125.88.10, 13.114.196.60
  • [URL] Exfiltration/collection endpoints – hXXps://api.osx-mac.com/api/collections/victims/records, hXXp://api.osx-mac.com/chainbreaker
  • [Developer ID] Developer: Bourigaultn Nathan (U5F3ZXR58U)

Read more: https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/